ALT-PU-2025-16958-6

BDU:2026-05594

MEDIUM4.3

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI связана с недостатками процедуры авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2026-04-20

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0СРЕДНЯЯ 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

Ссылки

CVE-2025-64520

BDU:2026-05697

HIGH8.8

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры запроса sql, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2026-04-22

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0КРИТИЧЕСКАЯ 9.0

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C

Ссылки

CVE-2026-22044

BDU:2026-05704

MEDIUM6.5

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнить произвольный код1

Опубликовано: 2026-04-22

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 2.0ВЫСОКАЯ 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N

Ссылки

CVE-2025-59935

CVE-2025-59935

MEDIUM6.5

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

Опубликовано: 2025-12-16Изменено: 2026-02-02

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Ссылки

https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx

CVE-2025-64520

MEDIUM4.3

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.

Опубликовано: 2025-12-16Изменено: 2026-02-19

CVSS 3.xСРЕДНЯЯ 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Ссылки

CVE-2026-22044

HIGH8.8

GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.

Опубликовано: 2026-02-04Изменено: 2026-02-06

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2026-25932

MEDIUM4.8

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

Опубликовано: 2026-04-06Изменено: 2026-04-07

CVSS 3.xСРЕДНЯЯ 4.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Ссылки

https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh

Обновление пакета glpi в ветке sisyphus

Закрытые проблемы (7)

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.

GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.