CVE-2020-11032
- EPSS 1.02%
- Veröffentlicht 05.05.2020 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:56:37
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
CVE-2013-2227
- EPSS 12.98%
- Veröffentlicht 01.11.2019 17:15:10
- Zuletzt bearbeitet 21.11.2024 01:51:17
GLPI 0.83.7 has Local File Inclusion in common.tabs.php.
CVE-2019-14666
- EPSS 2.23%
- Veröffentlicht 25.09.2019 20:15:10
- Zuletzt bearbeitet 21.11.2024 04:27:06
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated att...
CVE-2019-1010307
- EPSS 0.76%
- Veröffentlicht 15.07.2019 18:15:12
- Zuletzt bearbeitet 21.11.2024 04:18:09
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vect...
CVE-2019-1010310
- EPSS 0.72%
- Veröffentlicht 12.07.2019 18:15:11
- Zuletzt bearbeitet 21.11.2024 04:18:09
GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is:...
CVE-2019-13240
- EPSS 1.75%
- Veröffentlicht 10.07.2019 14:15:11
- Zuletzt bearbeitet 21.11.2024 04:24:31
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
CVE-2019-13239
- EPSS 1.33%
- Veröffentlicht 04.07.2019 15:15:11
- Zuletzt bearbeitet 21.11.2024 04:24:31
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
CVE-2019-10233
- EPSS 1.39%
- Veröffentlicht 27.03.2019 17:29:02
- Zuletzt bearbeitet 21.11.2024 04:18:42
Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.
CVE-2018-13049
- EPSS 1.22%
- Veröffentlicht 02.07.2018 11:29:00
- Zuletzt bearbeitet 21.11.2024 03:46:18
The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php.
CVE-2018-7562
- EPSS 1.72%
- Veröffentlicht 12.03.2018 21:29:01
- Zuletzt bearbeitet 21.11.2024 04:12:22
A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/s...