CVE-2018-7563
- EPSS 1.11%
- Veröffentlicht 12.03.2018 21:29:01
- Zuletzt bearbeitet 21.11.2024 04:12:22
An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute J...
CVE-2017-11183
- EPSS 1.31%
- Veröffentlicht 28.07.2017 05:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter.
CVE-2017-11184
- EPSS 1.63%
- Veröffentlicht 28.07.2017 05:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.
CVE-2017-11474
- EPSS 1.44%
- Veröffentlicht 20.07.2017 04:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
CVE-2017-11475
- EPSS 1.21%
- Veröffentlicht 20.07.2017 04:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.
- EPSS 0.49%
- Veröffentlicht 19.07.2017 13:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.
CVE-2016-7509
- EPSS 0.64%
- Veröffentlicht 19.07.2017 13:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
CVE-2017-11329
- EPSS 1.24%
- Veröffentlicht 17.07.2017 13:18:20
- Zuletzt bearbeitet 13.05.2026 00:24:29
GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
CVE-2016-7508
- EPSS 1.6%
- Veröffentlicht 21.06.2017 20:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
- EPSS 1.67%
- Veröffentlicht 05.10.2015 14:59:04
- Zuletzt bearbeitet 06.05.2026 22:30:45
GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.