ALT Linux Team

Branch c10f2 update on 2025-02-01

2025-02-01

ALT-BU-2025-2242-2

Branch c10f2 update bulletin.

ALT-PU-2025-2035-3

Package jhead updated to version 3.08-alt1 for branch c10f2 in task 371879.

Closed vulnerabilities

Published: 2022-10-17
Modified: 2025-05-13

CVE-2022-41751

Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.

Severity: HIGH (7.8)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:

ALT-PU-2025-2073-3

Package java-11-openjdk updated to version 11.0.26.0.4-alt0.c10.1 for branch c10f2 in task 371947.

Closed vulnerabilities

Published: 2025-02-06
Modified: 2026-03-04

BDU:2025-01180

Уязвимость компонентов Hotspot программной платформы Oracle Java SE, виртуальных машин Oracle GraalVM for JDK и Oracle GraalVM Enterprise Edition, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации и доступ на изменение, добавление или удаление данных

Severity: MEDIUM (4.8)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N
References:
Published: 2025-01-21
Modified: 2025-06-18

CVE-2025-21502

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Severity: MEDIUM (4.8)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
References:

ALT-PU-2025-2077-3

Package java-17-openjdk updated to version 17.0.14.0.7-alt1 for branch c10f2 in task 371942.

Closed vulnerabilities

Published: 2025-02-06
Modified: 2026-03-04

BDU:2025-01180

Уязвимость компонентов Hotspot программной платформы Oracle Java SE, виртуальных машин Oracle GraalVM for JDK и Oracle GraalVM Enterprise Edition, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации и доступ на изменение, добавление или удаление данных

Severity: MEDIUM (4.8)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N
References:
Published: 2025-01-21
Modified: 2025-06-18

CVE-2025-21502

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Severity: MEDIUM (4.8)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
References:

ALT-PU-2025-2085-3

Package java-21-openjdk updated to version 21.0.6.0.7-alt0.p10.1 for branch c10f2 in task 371957.

Closed vulnerabilities

Published: 2025-02-06
Modified: 2026-03-04

BDU:2025-01180

Уязвимость компонентов Hotspot программной платформы Oracle Java SE, виртуальных машин Oracle GraalVM for JDK и Oracle GraalVM Enterprise Edition, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации и доступ на изменение, добавление или удаление данных

Severity: MEDIUM (4.8)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N
References:
Published: 2025-01-21
Modified: 2025-06-18

CVE-2025-21502

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Severity: MEDIUM (4.8)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
References:

ALT-PU-2025-2091-2

Package aiosmtpd updated to version 1.4.6-alt1 for branch c10f2 in task 371968.

Closed bugs

Bug #42360

new version

ALT-PU-2025-2093-3

Package glpi updated to version 10.0.17-alt1 for branch c10f2 in task 371980.

Closed vulnerabilities

Published: 2024-09-03

BDU:2024-06606

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с внешним контролем имени файла или пути, позволяющая нарушителю загрузить произвольный PHP-скрипт и перехватить загрузчик плагинов для выполнения этого произвольный скрипта

Severity: HIGH (7.2)Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (8.3)Vector: AV:N/AC:L/Au:M/C:C/I:C/A:C
References:
Published: 2024-09-03

BDU:2024-06607

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с неправильной нейтрализацией специальных элементов, используемых в команде SQL, позволяющая нарушителю изменить данные учетной записи другого пользователя и получить над ней контроль

Severity: HIGH (8.1)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Severity: HIGH (8.5)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:N
References:
Published: 2024-09-03

BDU:2024-06608

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с неправильным контролем доступа, позволяющая нарушителю обойти текущие правила разграничения доступа

Severity: MEDIUM (4.3)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
References:
Published: 2024-11-08

BDU:2024-09128

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с некорректным управлением сеансом, позволяющая нарушителю получить полный доступ к приложению

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-11-14

BDU:2024-09424

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-11-14

BDU:2024-09514

Уязвимость функции восстановления пароля системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, позволяющая нарушителю обойти существующие ограничения безопасности

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-11-14
Modified: 2025-02-06

BDU:2024-09515

Уязвимость реализации прикладного программного интерфейса системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, позволяющая нарушителю раскрыть конфиденциальную информацию

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2024-11-18

BDU:2024-09717

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с неправильным контролем доступа, позволяющая нарушителю получить несанкционированный доступ к учетной записи

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2025-01-16

BDU:2025-00328

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-01-16

BDU:2025-00329

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-01-16

BDU:2025-00330

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-01-16

BDU:2025-00331

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2025-01-16

BDU:2025-00332

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-01-16

BDU:2025-00333

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить SQL-инъекции

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2025-01-16

BDU:2025-00334

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-01-16

BDU:2025-00335

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-01-16

BDU:2025-00336

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить SQL-инъекции

Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.0)Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
References:
Published: 2025-01-20

BDU:2025-00485

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с неправильным контролем доступа, позволяющая нарушителю получить несанкционированный доступ к учетной записи

Severity: MEDIUM (5.4)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:N/I:P/A:P
References:
Published: 2025-08-18

BDU:2025-09879

Уязвимость программного обеспечения для управления активами и центрами обработки данных GLPI, связанная с неправильным контролем доступа, позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2025-08-18

BDU:2025-09881

Уязвимость программного обеспечения для управления активами и центрами обработки данных GLPI, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальной информации

Severity: MEDIUM (5.3)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:
Published: 2024-07-10
Modified: 2025-01-07

CVE-2024-37147

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References:
Published: 2024-07-10
Modified: 2025-01-07

CVE-2024-37148

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References:
Published: 2024-07-10
Modified: 2025-01-07

CVE-2024-37149

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-11-15
Modified: 2025-02-10

CVE-2024-38370

GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-11-15
Modified: 2024-11-20

CVE-2024-40638

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-11-15
Modified: 2024-11-20

CVE-2024-41678

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-11-15
Modified: 2024-11-20

CVE-2024-41679

GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-11-18
Modified: 2025-01-07

CVE-2024-43416

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2024-11-15
Modified: 2024-11-20

CVE-2024-43417

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-11-15
Modified: 2024-11-20

CVE-2024-43418

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-11-15
Modified: 2024-11-20

CVE-2024-45608

GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2024-11-15
Modified: 2024-11-19

CVE-2024-45609

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-11-15
Modified: 2024-11-19

CVE-2024-45610

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-11-15
Modified: 2024-11-19

CVE-2024-45611

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.

Severity: MEDIUM (5.4)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-12-11
Modified: 2025-02-06

CVE-2024-47758

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.6)Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2024-11-15
Modified: 2025-01-23

CVE-2024-47759

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

Severity: MEDIUM (4.8)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (6.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2024-12-11
Modified: 2025-01-23

CVE-2024-47760

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.5)Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2024-12-11
Modified: 2025-01-23

CVE-2024-47761

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Severity: HIGH (7.2)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.5)Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2024-12-11
Modified: 2025-01-10

CVE-2024-48912

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.

Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Severity: HIGH (7.2)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2024-12-12
Modified: 2025-01-10

CVE-2024-50339

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: CRITICAL (9.3)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:

ALT-PU-2025-2118-3

Package python3-module-tqdm updated to version 4.66.5-alt1.p10.1 for branch c10f2 in task 372024.

Closed vulnerabilities

Published: 2024-05-03
Modified: 2026-04-15

CVE-2024-34062

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity: MEDIUM (4.8)Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
References:

ALT-PU-2025-2120-3

Package perl-CPAN-Checksums updated to version 2.14-alt1 for branch c10f2 in task 372026.

Closed vulnerabilities

Published: 2021-12-13
Modified: 2024-11-21

CVE-2020-16155

The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References:

ALT-PU-2025-2133-3

Package uw-imap updated to version 2010-alt1.1 for branch c10f2 in task 372067.

Closed vulnerabilities

Published: 2019-04-04
Modified: 2023-11-21

BDU:2019-01271

Уязвимость компонента IMAP интерпретатора языка программирования PHP, позволяющая нарушителю выполнять произвольные команды в операционной системе

Severity: HIGH (7.5)Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (8.5)Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C
References:
Published: 2018-11-25
Modified: 2024-11-21

CVE-2018-19518

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

Severity: HIGH (8.5)Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C
Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References:

ALT-PU-2025-2178-3

Package lynx updated to version 2.9.2-alt1.rel.0 for branch c10f2 in task 372135.

Closed vulnerabilities

Published: 2022-01-17
Modified: 2023-11-21

BDU:2022-00255

Уязвимость подкомпонента userinfo текстового веб-браузера Lynx, связанная с недостаточной защитой регистрационных данных, позволяющая нарушителю получить доступ к конфиденциальным данным

Severity: MEDIUM (5.3)Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: LOW (2.6)Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N
References:
Published: 2021-08-07
Modified: 2024-11-21

CVE-2021-38165

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.

Severity: LOW (2.6)Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N
Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top