Filtered by vendor Glpi-project
Subscriptions
Total
155 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-7563 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. | ||||
| CVE-2018-7562 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php. | ||||
| CVE-2018-13049 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php. | ||||
| CVE-2017-11475 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php. | ||||
| CVE-2017-11474 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | ||||
| CVE-2017-11329 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | ||||
| CVE-2017-11184 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | ||||
| CVE-2017-11183 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter. | ||||
| CVE-2016-7509 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket. | ||||
| CVE-2016-7508 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. | ||||
| CVE-2016-7507 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application. | ||||
| CVE-2015-7685 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php. | ||||
| CVE-2015-7684 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/. | ||||
| CVE-2014-9258 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. | ||||
| CVE-2014-8360 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php. | ||||
| CVE-2014-5032 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attackers to obtain sensitive information via the cost criteria in the search bar. | ||||
| CVE-2013-5696 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action. | ||||
| CVE-2013-2227 | 2 Debian, Glpi-project | 2 Debian Linux, Glpi | 2024-11-21 | 7.5 High |
| GLPI 0.83.7 has Local File Inclusion in common.tabs.php. | ||||
| CVE-2013-2226 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php. | ||||
| CVE-2013-2225 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A |
| inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. | ||||