All errata/sisyphus/ALT-PU-2017-2291-1
ALT-PU-2017-2291-1

Package update glpi in branch sisyphus

Version9.1.6-alt2
Task#188639
Published2017-09-22
Max severityCRITICAL
Severity:

Closed issues (5)

CVE-2017-11183
MEDIUM4.9

front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter.

Published: 2017-07-28Modified: 2025-04-20
CVSS 2.0MEDIUM 5.5
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS 3.xMEDIUM 4.9
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
References
CVE-2017-11184
CRITICAL9.8

SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.

Published: 2017-07-28Modified: 2025-04-20
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2017-11329
CRITICAL9.8

GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.

Published: 2017-07-17Modified: 2025-04-20
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References