ALT Linux Team

Package glpi update in c10f2 on 2025-12-16

ALT-PU-2025-15784-3

Package glpi updated to version 10.0.19-alt1 for branch c10f2 in task 402925.

Closed vulnerabilities

Published: 2025-03-24

BDU:2025-03181

Уязвимость модуля Inventory системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, позволяющая нарушителю выполнить произвольный код

Severity: HIGH (8.5) Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: HIGH (7.1) Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
References:
Published: 2025-03-24
Modified: 2025-04-23

BDU:2025-03182

Уязвимость модуля Inventory системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, позволяющая нарушителю выполнить произвольные SQL команды

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2025-04-09
Modified: 2025-05-06

BDU:2025-04042

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с неправильной авторизацией, позволяющая нарушителю раскрыть защищаемую информацию

Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2025-04-09
Modified: 2025-05-06

BDU:2025-04043

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (5.8) Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
References:
Published: 2025-04-15

BDU:2025-04581

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнять атаки с использованием межсайтового скриптинга (XSS)

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2025-04-15

BDU:2025-04582

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с неправильной аутентификацией, позволяющая нарушителю обойти процесс аутентификации

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N
References:
Published: 2025-04-15

BDU:2025-04583

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM (6.8) Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2025-09-10

BDU:2025-10945

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по нейтрализации script-related тэгов HTML на веб-странице, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (5.4) Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.5) Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-09-10

BDU:2025-10946

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с недостаточной проверкой запросов на стороне сервера, позволяющая нарушителю осуществить SSRF-атаку

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
References:
Published: 2025-09-10

BDU:2025-10947

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по нейтрализации script-related тэгов HTML на веб-странице, позволяющая нарушителю выполнить произвольный код

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
References:
Published: 2025-09-17

BDU:2025-11259

Уязвимость программного обеспечения для управления активами и центрами обработки данных GLPI, связанная с неправильным управлением привилегиями, позволяющая нарушителю повысить свои привилегии

Severity: HIGH (7.5) Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (7.1) Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C
References:
Published: 2025-09-19
Modified: 2025-10-07

BDU:2025-11359

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с переадресацией URL на ненадежный сайт при обработке параметра redirect, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

Severity: MEDIUM (4.3) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
References:
Published: 2025-10-15

BDU:2025-12944

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с недостаточной защитой регистрационных данных, позволяющая нарушителю получить несанкционированный доступ к учётным данным пользователя

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM (6.8) Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2025-10-15

BDU:2025-12945

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с ошибками разграничения доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM (6.8) Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N
References:
Published: 2025-10-15

BDU:2025-12946

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с ошибками разграничения доступа, позволяющая нарушителю получить несанкционированный доступ на удаление защищаемой информации

Severity: MEDIUM (4.3) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
References:
Published: 2025-10-15

BDU:2025-12947

Уязвимость функции внешних ссылок системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, позволяющая нарушителю раскрыть защищаемую информацию

Severity: LOW (2.7) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM (4.0) Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
References:
Published: 2025-10-20

BDU:2025-13145

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с обходом авторизации посредством ключа, позволяющая нарушителю получить несанкционированный доступ на изменение защищаемой информации

Severity: MEDIUM (5.4) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM (5.5) Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
References:
Published: 2025-02-25
Modified: 2025-03-04

CVE-2024-11955

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

Severity: MEDIUM (5.0) Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM (5.3) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-03-18
Modified: 2025-07-31

CVE-2025-21619

GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (8.2) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-02-25
Modified: 2025-03-04

CVE-2025-21626

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2025-02-25
Modified: 2025-03-04

CVE-2025-21627

GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2025-02-25
Modified: 2025-03-04

CVE-2025-23024

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Severity: MEDIUM (6.9) Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-02-25
Modified: 2025-02-28

CVE-2025-23046

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: MEDIUM (6.3) Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References:
Published: 2025-03-18
Modified: 2025-07-31

CVE-2025-24799

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-03-18
Modified: 2025-08-01

CVE-2025-24801

GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-02-25
Modified: 2025-04-23

CVE-2025-25192

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2025-07-29
Modified: 2025-08-04

CVE-2025-27514

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-52567

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19.

Severity: MEDIUM (5.0) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-52897

GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-53008

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2025-08-27
Modified: 2025-08-29

CVE-2025-53105

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-53111

GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-53112

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-53113

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.

Severity: LOW (2.7) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2025-07-30
Modified: 2025-08-04

CVE-2025-53357

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.2
Back to top