Attachment #245565 for bug #272685




    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0</ge><lt>9.5.3</lt></range>
	<range><lt>9.5.3</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-10-01</discovery>
      <entry>2020-10-01</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1</ge><lt>9.5.2</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0</ge><lt>9.5.2</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.65</ge><lt>9.5.2</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.68</ge><lt>9.5.2</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.70</ge><lt>9.5.2</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0</ge><lt>9.5.1</lt></range>
	<range><lt>9.5.1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.68.1</ge><lt>9.4.6</lt></range>
	<range><lt>9.4.6</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.83.3</ge><lt>9.4.6</lt></range>
	<range><lt>9.4.6</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1</ge><lt>9.4.6</lt></range>
	<range><lt>9.4.6</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2023-10-11</modified>
    </dates>
  </vuln>





  <vuln vid="10e86b16-6836-11ee-b06f-0050569ceb3a">
    <topic>Unallowed PHP script execution in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>From the GLPI 10.0.10 Changelog:</p>
	<blockquote
	cite="https://github.com/glpi-project/glpi/releases/tag/10.0.10">
	<p>You will find below security issues fixed in this bugfixes version:
	[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).</p>
	</blockquote>
	<p>The mentioned CVE is invalid</p>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-42802</cvename>
      <url>https://github.com/glpi-project/glpi/releases/tag/10.0.10</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="894f2491-6834-11ee-b06f-0050569ceb3a">
    <topic>glpi-project -- SQL injection in ITIL actors in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.8</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  The ITIL
	actors input field from the Ticket form can be used to perform a
	SQL injection.  Users are advised to upgrade to version 10.0.10.
	There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-42461</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-42461</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="54e5573a-6834-11ee-b06f-0050569ceb3a">
    <topic>Phishing through a login page malicious URL in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.8</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  The lack
	of path filtering on the GLPI URL may allow an attacker to transmit
	a malicious URL of login page that can be used to attempt a phishing
	attack on user credentials.  Users are advised to upgrade to version
	10.0.10.  There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41888</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41888</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="20302cbc-6834-11ee-b06f-0050569ceb3a">
    <topic>Users login enumeration by unauthenticated user in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.68</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  An
	unauthenticated user can enumerate users logins.  Users are advised
	to upgrade to version 10.0.10.  There are no known workarounds for
	this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41323</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41323</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="ae8b1445-6833-11ee-b06f-0050569ceb3a">
    <topic>Privilege Escalation from technician to super-admin in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1.0</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  A user
	with write access to another user can make requests to change the
	latter&apos;s password and then take control of their account.
	Users are advised to upgrade to version 10.0.10.  There are no known
	work around for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41322</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41322</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="6851f3bb-6833-11ee-b06f-0050569ceb3a">
    <topic>Sensitive fields enumeration through API in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1.1</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  An API
	user can enumerate sensitive fields values on resources on which
	he has read access.  Users are advised to upgrade to version 10.0.10.
	There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41321</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41321</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="df71f5aa-6831-11ee-b06f-0050569ceb3a">
    <topic>File deletion through document upload process in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.0</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  The document
	upload process can be diverted to delete some files.  Users are
	advised to upgrade to version 10.0.10.  There are no known workarounds
	for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-42462</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-42462</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="95c4ec45-6831-11ee-b06f-0050569ceb3a">
    <topic>Account takeover through API in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.3.0</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  An API
	user that have read access on users resource can steal accounts of
	other users.  Users are advised to upgrade to version 10.0.10.
	There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41324</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41324</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="040e69f1-6831-11ee-b06f-0050569ceb3a">
    <topic>Account takeover via Kanban feature in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  A logged
	user from any profile can hijack the Kanban feature to alter any
	user field, and end-up with stealing its account.  Users are advised
	to upgrade to version 10.0.10.  There are no known workarounds for
	this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41326</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41326</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="6f6518ab-6830-11ee-b06f-0050569ceb3a">
    <topic>Account takeover via SQL Injection in UI layout preferences in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.0</ge><lt>10.0.10</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-mv2r-gpw3-g476">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  UI layout
	preferences management can be hijacked to lead to SQL injection.
	This injection can be use to takeover an administrator account.
	Users are advised to upgrade to version 10.0.10.  There are no known
	workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41320</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41320</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="257e1bf0-682f-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to SQL injection via dashboard administration</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0</ge><lt>10.0.9</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.9">
	  <p>GLPI is a Free Asset and IT Management Software package, Data center
	management, ITIL Service Desk, licenses tracking and software
	auditing.  An administrator can trigger SQL injection via dashboards
	administration.  This vulnerability has been patched in version
	10.0.9.
	</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-37278</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-37278</url>
    </references>
    <dates>
      <discovery>2023-07-13</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="40173815-6827-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthorized access to User data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.68</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Versions
	of the software starting with 0.68 and prior to 10.0.8 have an
	incorrect rights check on a on a file accessible by an authenticated
	user.  This allows access to the list of all users and their personal
	information.  Users should upgrade to version 10.0.8 to receive a
	patch.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-34106</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34106</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="1fe40200-6823-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthorized access to KnowbaseItem data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.2.0</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Versions
	of the software starting with 9.2.0 and prior to 10.0.8 have an
	incorrect rights check on a on a file accessible by an authenticated
	user, allows access to the view all KnowbaseItems.  Version 10.0.8
	has a patch for this issue.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-34107</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34107</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="b14a6ddc-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to reflected XSS in search pages</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.4.0</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 9.4.0 and prior to version 10.0.8, a malicious link can
	be crafted by an unauthenticated user that can exploit a reflected
	XSS in case any authenticated user opens the crafted link.  Users
	should upgrade to version 10.0.8 to receive a patch.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-34244</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34244</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="95fde6bc-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthenticated access to Dashboard data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
	check on a file allows an unauthenticated user to be able to access
	dashboards data.  Version 10.0.8 contains a patch for this issue.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-35940</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35940</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="717efd8a-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthorized access to Dashboard data</topic>
    <affects>
      <package>
	<name>glpi</name>
<range><ge>9.5.0</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
	check on a on a file accessible by an authenticated user (or not
	for certain actions), allows a threat actor to interact, modify,
	or see Dashboard data.  Version 10.0.8 contains a patch for this
	issue.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-35939</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35939</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="548a4163-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to SQL injection through Computer Virtual Machine information</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.80</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 0.80 and prior to version 10.0.8, Computer Virtual Machine
	form and GLPI inventory request can be used to perform a SQL injection
	attack.  Version 10.0.8 has a patch for this issue.  As a workaround,
	one may disable native inventory.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-36808</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-36808</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="e44e5ace-6820-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to SQL injection via inventory agent request</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.0</ge><lt>10.0.8</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 10.0.0 and prior to version 10.0.8, GLPI inventory
	endpoint can be used to drive a SQL injection attack.  By default,
	GLPI inventory endpoint requires no authentication.  Version 10.0.8
	has a patch for this issue.  As a workaround, one may disable native
	inventory.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-35924</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35924</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="4f254817-6318-11ee-b2ff-080027de9982">
    <topic>Django -- multiple vulnerabilities</topic>
    <affects>

Lines 1-6 Link Here

(-)b/www/glpi/Makefile (-3 / +2 lines)
1	PORTNAME= glpi	1	PORTNAME= glpi
2	PORTVERSION= 10.0.7	2	PORTVERSION= 10.0.10
3	PORTEPOCH= 1	3	PORTEPOCH= 2
4	CATEGORIES= www	4	CATEGORIES= www
5	MASTER_SITES= https://github.com/glpi-project/glpi/releases/download/${PORTVERSION}/	5	MASTER_SITES= https://github.com/glpi-project/glpi/releases/download/${PORTVERSION}/
6		6
Lines 15-21 CPE_VENDOR= glpi-project Link Here
15	USE_PHP= bz2 ctype curl exif fileinfo gd iconv intl mbstring \	15	USE_PHP= bz2 ctype curl exif fileinfo gd iconv intl mbstring \
16	mysqli opcache session simplexml sodium xml xmlrpc zip zlib \	16	mysqli opcache session simplexml sodium xml xmlrpc zip zlib \
17	dom filter	17	dom filter
18	IGNORE_WITH_PHP= 82 83
19		18
20	NO_ARCH= yes	19	NO_ARCH= yes
21	NO_BUILD= yes	20	NO_BUILD= yes

Lines 1-3 Link Here

(-)b/www/glpi/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1683389004	1	TIMESTAMP = 1696934290
2	SHA256 (glpi-10.0.7.tgz) = 0d51de960272d3d5b322e83d74a8261423d4baefad5ef815402591e8ead04e53	2	SHA256 (glpi-10.0.10.tgz) = b303eece25bcbf81cd6bcd74b2a8412f02b33c3471bd935530b06470dcf7b051
3	SIZE (glpi-10.0.7.tgz) = 56550228	3	SIZE (glpi-10.0.10.tgz) = 59092816




%%WWWDIR%%/ajax/compareKbRevisions.php
%%WWWDIR%%/ajax/dashboard.php
%%WWWDIR%%/ajax/dcroom_size.php
%%WWWDIR%%/ajax/debug.php
%%WWWDIR%%/ajax/displayMessageAfterRedirect.php
%%WWWDIR%%/ajax/domainrecord_data_form.php
%%WWWDIR%%/ajax/dropdownAllItems.php

%%WWWDIR%%/ajax/getMapPoint.php
%%WWWDIR%%/ajax/getShareDashboardDropdownValue.php
%%WWWDIR%%/ajax/getUserPicture.php
%%WWWDIR%%/ajax/get_item_content.php
%%WWWDIR%%/ajax/helpdesk_observer.php
%%WWWDIR%%/ajax/impact.php
%%WWWDIR%%/ajax/index.php

%%WWWDIR%%/ajax/unlockobject.php
%%WWWDIR%%/ajax/updateTrackingDeviceType.php
%%WWWDIR%%/ajax/updateTranslationFields.php
%%WWWDIR%%/ajax/updateTranslationValue.php
%%WWWDIR%%/ajax/updatecurrenttab.php
%%WWWDIR%%/ajax/viewsubitem.php
%%WWWDIR%%/ajax/visibility.php

%%WWWDIR%%/css/includes/components/_asset-form.scss
%%WWWDIR%%/css/includes/components/_browser_tree.scss
%%WWWDIR%%/css/includes/components/_buttons-group.scss
%%WWWDIR%%/css/includes/components/_debug-toolbar.scss
%%WWWDIR%%/css/includes/components/_documentation.scss
%%WWWDIR%%/css/includes/components/_fileupload.scss
%%WWWDIR%%/css/includes/components/_flatpickr.scss

%%WWWDIR%%/css/lib/bootstrap/scss/mixins/_visually-hidden.scss
%%WWWDIR%%/css/lib/bootstrap/scss/utilities/_api.scss
%%WWWDIR%%/css/lib/bootstrap/scss/vendor/_rfs.scss
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-100-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-200-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-300-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-400-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-500-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-600-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-700-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-800-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-all-900-normal.woff
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-cyrillic-100-normal.woff2
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-cyrillic-200-normal.woff2
%%WWWDIR%%/css/lib/fontsource/inter/files/inter-cyrillic-300-normal.woff2

%%WWWDIR%%/front/fieldunicity.php
%%WWWDIR%%/front/filesystem.form.php
%%WWWDIR%%/front/filesystem.php
%%WWWDIR%%/front/find_num.php
%%WWWDIR%%/front/fqdn.form.php
%%WWWDIR%%/front/fqdn.php
%%WWWDIR%%/front/graph.send.php

%%WWWDIR%%/install/migrations/update_10.0.6_to_10.0.7/ticket_fix_internal_tto_escalation.php
%%WWWDIR%%/install/migrations/update_10.0.6_to_10.0.7/unmanageds.php
%%WWWDIR%%/install/migrations/update_10.0.6_to_10.0.7/wrong_fkey.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/changes.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/configs.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/dates.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/networkport.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/problems.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/queuednotification.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/ram_field.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/rule.php
%%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8/rule_tickets.php
%%WWWDIR%%/install/migrations/update_10.0.8_to_10.0.9.php
%%WWWDIR%%/install/migrations/update_10.0.8_to_10.0.9/queuednotification.php
%%WWWDIR%%/install/migrations/update_10.0.9_to_10.0.10.php
%%WWWDIR%%/install/migrations/update_10.0.9_to_10.0.10/configs.php
%%WWWDIR%%/install/migrations/update_10.0.9_to_10.0.10/ldap_fields.php
%%WWWDIR%%/install/migrations/update_10.0.9_to_10.0.10/mailcollector.php
%%WWWDIR%%/install/migrations/update_10.0.9_to_10.0.10/templates.php
%%WWWDIR%%/install/migrations/update_9.1.0_to_9.1.1.php
%%WWWDIR%%/install/migrations/update_9.1.1_to_9.1.3.php
%%WWWDIR%%/install/migrations/update_9.1.x_to_9.2.0.php

%%WWWDIR%%/install/migrations/update_9.5.x_to_10.0.0/transfer.php
%%WWWDIR%%/install/migrations/update_9.5.x_to_10.0.0/uuids.php
%%WWWDIR%%/install/mysql/.htaccess
%%WWWDIR%%/install/mysql/glpi-0.80.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.6-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.80.7-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.6-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.7-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.8-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.83.9-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.6-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.7-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.84.8-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.85.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.85.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.85.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.85.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.85.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.85.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.90.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.90.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.90.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.90.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.90.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-0.90.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.2-empty.sql

%%WWWDIR%%/install/mysql/glpi-10.0.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.6-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.7-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.8-empty.sql
%%WWWDIR%%/install/mysql/glpi-10.0.9-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.5-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.6-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.1.7-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.2.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.2.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.2.2-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.2.3-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.2.4-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.3.0-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.3.1-empty.sql
%%WWWDIR%%/install/mysql/glpi-9.3.2-empty.sql

%%WWWDIR%%/js/marketplace.min.js
%%WWWDIR%%/js/misc.js
%%WWWDIR%%/js/misc.min.js
%%WWWDIR%%/js/modules/Debug/Debug.js
%%WWWDIR%%/js/modules/Debug/Debug.min.js
%%WWWDIR%%/js/modules/Kanban/Kanban.js
%%WWWDIR%%/js/modules/Kanban/Kanban.min.js
%%WWWDIR%%/js/modules/Search/GenericView.js

%%WWWDIR%%/js/rack.min.js
%%WWWDIR%%/js/reservations.js
%%WWWDIR%%/js/reservations.min.js
%%WWWDIR%%/js/webkit_fix.js
%%WWWDIR%%/js/webkit_fix.min.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/LICENSE.txt
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.fileupload-process.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.fileupload-process.min.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.fileupload-validate.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.fileupload-validate.min.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.fileupload.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.fileupload.min.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.iframe-transport.js
%%WWWDIR%%/lib/blueimp/jquery-file-upload/jquery.iframe-transport.min.js
%%WWWDIR%%/lib/bundles/base.js
%%WWWDIR%%/lib/bundles/base.min.js
%%WWWDIR%%/lib/bundles/chartist.js

%%WWWDIR%%/public/lib/tinymce-i18n/langs6/ug.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/uk.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/uk.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/uz.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/uz.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/vi.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/vi.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh-Hans.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh-Hans.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh-Hant.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh-Hant.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh_HK.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh_HK.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh_MO.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh_MO.min.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh_SG.js
%%WWWDIR%%/public/lib/tinymce-i18n/langs6/zh_SG.min.js
%%WWWDIR%%/public/lib/tinymce.js
%%WWWDIR%%/public/lib/tinymce.js.map
%%WWWDIR%%/public/lib/tinymce.min.js

%%WWWDIR%%/src/DCRoom.php
%%WWWDIR%%/src/Dashboard/Dashboard.php
%%WWWDIR%%/src/Dashboard/Filter.php
%%WWWDIR%%/src/Dashboard/Filters/AbstractFilter.php
%%WWWDIR%%/src/Dashboard/Filters/DatesFilter.php
%%WWWDIR%%/src/Dashboard/Filters/DatesModFilter.php
%%WWWDIR%%/src/Dashboard/Filters/GroupTechFilter.php
%%WWWDIR%%/src/Dashboard/Filters/ItilCategoryFilter.php
%%WWWDIR%%/src/Dashboard/Filters/LocationFilter.php
%%WWWDIR%%/src/Dashboard/Filters/ManufacturerFilter.php
%%WWWDIR%%/src/Dashboard/Filters/RequestTypeFilter.php
%%WWWDIR%%/src/Dashboard/Filters/StateFilter.php
%%WWWDIR%%/src/Dashboard/Filters/TicketTypeFilter.php
%%WWWDIR%%/src/Dashboard/Filters/UserTechFilter.php
%%WWWDIR%%/src/Dashboard/Grid.php
%%WWWDIR%%/src/Dashboard/Item.php
%%WWWDIR%%/src/Dashboard/Provider.php

%%WWWDIR%%/src/DatabaseInstanceType.php
%%WWWDIR%%/src/Datacenter.php
%%WWWDIR%%/src/DbUtils.php
%%WWWDIR%%/src/Debug/Profile.php
%%WWWDIR%%/src/Debug/Profiler.php
%%WWWDIR%%/src/Debug/ProfilerSection.php
%%WWWDIR%%/src/Debug/Toolbar.php
%%WWWDIR%%/src/DeviceBattery.php
%%WWWDIR%%/src/DeviceBatteryModel.php
%%WWWDIR%%/src/DeviceBatteryType.php

%%WWWDIR%%/src/HTMLTableUnknownHeadersOrder.php
%%WWWDIR%%/src/Holiday.php
%%WWWDIR%%/src/Html.php
%%WWWDIR%%/src/Http/Firewall.php
%%WWWDIR%%/src/Http/ProxyRouter.php
%%WWWDIR%%/src/Http/Response.php
%%WWWDIR%%/src/IPAddress.php

%%WWWDIR%%/src/USBVendor.php
%%WWWDIR%%/src/Unmanaged.php
%%WWWDIR%%/src/Update.php
%%WWWDIR%%/src/UploadHandler.php
%%WWWDIR%%/src/User.php
%%WWWDIR%%/src/UserCategory.php
%%WWWDIR%%/src/UserEmail.php

%%WWWDIR%%/templates/components/checkbox_matrix.html.twig
%%WWWDIR%%/templates/components/dashboard/widget_form.html.twig
%%WWWDIR%%/templates/components/dates_timeline.html.twig
%%WWWDIR%%/templates/components/debug/debug_toolbar.html.twig
%%WWWDIR%%/templates/components/dropdown/limit.html.twig
%%WWWDIR%%/templates/components/form/buttons.html.twig
%%WWWDIR%%/templates/components/form/computerantivirus.html.twig

%%WWWDIR%%/templates/components/modal.html.twig
%%WWWDIR%%/templates/components/pager.html.twig
%%WWWDIR%%/templates/components/photoswipe.html.twig
%%WWWDIR%%/templates/components/plugin_uninstall_modal.html.twig
%%WWWDIR%%/templates/components/rss_feed.html.twig
%%WWWDIR%%/templates/components/search/controls.html.twig
%%WWWDIR%%/templates/components/search/display_data.html.twig

%%WWWDIR%%/templates/components/user/info_card.html.twig
%%WWWDIR%%/templates/components/user/link_with_tooltip.html.twig
%%WWWDIR%%/templates/components/user/picture.html.twig
%%WWWDIR%%/templates/debug_panel.html.twig
%%WWWDIR%%/templates/display_and_die.html.twig
%%WWWDIR%%/templates/dropdown_form.html.twig
%%WWWDIR%%/templates/generic_show_form.html.twig

%%WWWDIR%%/templates/password_form.html.twig
%%WWWDIR%%/vendor/.htaccess
%%WWWDIR%%/vendor/autoload.php
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/LICENSE.txt
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/README.md
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/SECURITY.md
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/VULNERABILITIES.md
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/composer.json
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-noscript.css
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui-noscript.css
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui.css
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/css/jquery.fileupload.css
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/docker-compose.yml
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/img/loading.gif
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/img/progressbar.gif
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/cors/jquery.postmessage-transport.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/cors/jquery.xdr-transport.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/demo.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-audio.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-image.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-process.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-ui.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-validate.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-video.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/package-lock.json
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/package.json
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/gae-python/app.yaml
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/gae-python/main.py
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/gae-python/static/favicon.ico
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/gae-python/static/robots.txt
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php/Dockerfile
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php/UploadHandler.php
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php/files/.htaccess
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php/index.php
%%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php/php.ini
%%WWWDIR%%/vendor/brick/math/CHANGELOG.md
%%WWWDIR%%/vendor/brick/math/LICENSE
%%WWWDIR%%/vendor/brick/math/SECURITY.md

%%WWWDIR%%/vendor/psr/http-message/LICENSE
%%WWWDIR%%/vendor/psr/http-message/README.md
%%WWWDIR%%/vendor/psr/http-message/composer.json
%%WWWDIR%%/vendor/psr/http-message/docs/PSR7-Interfaces.md
%%WWWDIR%%/vendor/psr/http-message/docs/PSR7-Usage.md
%%WWWDIR%%/vendor/psr/http-message/src/MessageInterface.php
%%WWWDIR%%/vendor/psr/http-message/src/RequestInterface.php
%%WWWDIR%%/vendor/psr/http-message/src/ResponseInterface.php

%%WWWDIR%%/vendor/seld/jsonlint/LICENSE
%%WWWDIR%%/vendor/seld/jsonlint/README.md
%%WWWDIR%%/vendor/seld/jsonlint/composer.json
%%WWWDIR%%/vendor/seld/jsonlint/phpstan.neon.dist
%%WWWDIR%%/vendor/seld/jsonlint/src/Seld/JsonLint/DuplicateKeyException.php
%%WWWDIR%%/vendor/seld/jsonlint/src/Seld/JsonLint/JsonParser.php
%%WWWDIR%%/vendor/seld/jsonlint/src/Seld/JsonLint/Lexer.php

%%WWWDIR%%/vendor/symfony/polyfill-mbstring/LICENSE
%%WWWDIR%%/vendor/symfony/polyfill-mbstring/Mbstring.php
%%WWWDIR%%/vendor/symfony/polyfill-mbstring/README.md
%%WWWDIR%%/vendor/symfony/polyfill-mbstring/Resources/unidata/caseFolding.php
%%WWWDIR%%/vendor/symfony/polyfill-mbstring/Resources/unidata/lowerCase.php
%%WWWDIR%%/vendor/symfony/polyfill-mbstring/Resources/unidata/titleCaseRegexp.php
%%WWWDIR%%/vendor/symfony/polyfill-mbstring/Resources/unidata/upperCase.php

%%WWWDIR%%/vendor/symfony/polyfill-php81/LICENSE
%%WWWDIR%%/vendor/symfony/polyfill-php81/Php81.php
%%WWWDIR%%/vendor/symfony/polyfill-php81/README.md
%%WWWDIR%%/vendor/symfony/polyfill-php81/Resources/stubs/CURLStringFile.php
%%WWWDIR%%/vendor/symfony/polyfill-php81/Resources/stubs/ReturnTypeWillChange.php
%%WWWDIR%%/vendor/symfony/polyfill-php81/bootstrap.php
%%WWWDIR%%/vendor/symfony/polyfill-php81/composer.json

%%WWWDIR%%/vendor/webmozart/assert/src/Assert.php
%%WWWDIR%%/vendor/webmozart/assert/src/InvalidArgumentException.php
%%WWWDIR%%/vendor/webmozart/assert/src/Mixin.php
%%WWWDIR%%/version/10.0.10
@dir %%WWWDIR%%/ajax
@dir %%WWWDIR%%/bin
@dir %%WWWDIR%%/config

@dir %%WWWDIR%%/install/migrations/update_10.0.4_to_10.0.5
@dir %%WWWDIR%%/install/migrations/update_10.0.5_to_10.0.6
@dir %%WWWDIR%%/install/migrations/update_10.0.6_to_10.0.7
@dir %%WWWDIR%%/install/migrations/update_10.0.7_to_10.0.8
@dir %%WWWDIR%%/install/migrations/update_10.0.8_to_10.0.9
@dir %%WWWDIR%%/install/migrations/update_10.0.9_to_10.0.10
@dir %%WWWDIR%%/install/migrations/update_9.4.x_to_9.5.0
@dir %%WWWDIR%%/install/migrations/update_9.5.x_to_10.0.0
@dir %%WWWDIR%%/install/mysql
@dir %%WWWDIR%%/js
@dir %%WWWDIR%%/js/modules/Debug/
@dir %%WWWDIR%%/js/Forms
@dir %%WWWDIR%%/js/RichText
@dir %%WWWDIR%%/js/modules

@dir %%WWWDIR%%/js/modules/Search
@dir %%WWWDIR%%/js/modules/SearchTokenizer
@dir %%WWWDIR%%/lib
@dir %%WWWDIR%%/lib/blueimp/
@dir %%WWWDIR%%/lib/blueimp/jquery-file-upload/
@dir %%WWWDIR%%/lib/bundles
@dir %%WWWDIR%%/locales
@dir %%WWWDIR%%/marketplace

@dir %%WWWDIR%%/src/ContentTemplates/Parameters/ParametersTypes
@dir %%WWWDIR%%/src/Csv
@dir %%WWWDIR%%/src/Dashboard
@dir %%WWWDIR%%/src/Dashboard/Filters/
@dir %%WWWDIR%%/src/Debug/
@dir %%WWWDIR%%/src/Exception
@dir %%WWWDIR%%/src/Features
@dir %%WWWDIR%%/src/Http

@dir %%WWWDIR%%/templates/central/lists
@dir %%WWWDIR%%/templates/components
@dir %%WWWDIR%%/templates/components/dashboard
@dir %%WWWDIR%%/templates/components/debug/
@dir %%WWWDIR%%/templates/components/dropdown
@dir %%WWWDIR%%/templates/components/form
@dir %%WWWDIR%%/templates/components/itilobject

@dir %%WWWDIR%%/templates/pages/setup/general
@dir %%WWWDIR%%/templates/pages/tools
@dir %%WWWDIR%%/vendor
@dir %%WWWDIR%%/vendor/blueimp
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/css
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/img
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/js
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/cors
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/js/vendor
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/server
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/gae-python
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/gae-python/static
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php
@dir %%WWWDIR%%/vendor/blueimp/jquery-file-upload/server/php/files
@dir %%WWWDIR%%/vendor/brick
@dir %%WWWDIR%%/vendor/brick/math
@dir %%WWWDIR%%/vendor/brick/math/src

@dir %%WWWDIR%%/vendor/psr/http-factory
@dir %%WWWDIR%%/vendor/psr/http-factory/src
@dir %%WWWDIR%%/vendor/psr/http-message
@dir %%WWWDIR%%/vendor/psr/http-message/docs/
@dir %%WWWDIR%%/vendor/psr/http-message/src
@dir %%WWWDIR%%/vendor/psr/log
@dir %%WWWDIR%%/vendor/psr/log/Psr

Return to bug 272685

Lines 465-472 Link Here

(-)b/security/vuxml/vuln/2020.xml (-20 / +20 lines)
465	<affects>	465	<affects>
466	<package>	466	<package>
467	<name>glpi</name>	467	<name>glpi</name>
468	<range><gt>9.5.0</gt></range>	468	<range><ge>9.5.0</ge><lt>9.5.3</lt></range>
469	<range><lt>9.5.3</lt></range>
470	</package>	469	</package>
471	</affects>	470	</affects>
472	<description>	471	<description>
Lines 486-491 Link Here
486	<dates>	485	<dates>
487	<discovery>2020-10-01</discovery>	486	<discovery>2020-10-01</discovery>
488	<entry>2020-10-01</entry>	487	<entry>2020-10-01</entry>
		488	<modified>2023-10-11</modified>
489	</dates>	489	</dates>
490	</vuln>	490	</vuln>
491		491
Lines 494-501 Link Here
494	<affects>	494	<affects>
495	<package>	495	<package>
496	<name>glpi</name>	496	<name>glpi</name>
497	<range><gt>9.1</gt></range>	497	<range><ge>9.1</ge><lt>9.5.2</lt></range>
498	<range><lt>9.5.2</lt></range>
499	</package>	498	</package>
500	</affects>	499	</affects>
501	<description>	500	<description>
Lines 514-519 Link Here
514	<dates>	513	<dates>
515	<discovery>2020-06-25</discovery>	514	<discovery>2020-06-25</discovery>
516	<entry>2020-06-25</entry>	515	<entry>2020-06-25</entry>
		516	<modified>2023-10-11</modified>
517	</dates>	517	</dates>
518	</vuln>	518	</vuln>
519		519
Lines 522-529 Link Here
522	<affects>	522	<affects>
523	<package>	523	<package>
524	<name>glpi</name>	524	<name>glpi</name>
525	<range><gt>9.5.0</gt></range>	525	<range><ge>9.5.0</ge><lt>9.5.2</lt></range>
526	<range><lt>9.5.2</lt></range>
527	</package>	526	</package>
528	</affects>	527	</affects>
529	<description>	528	<description>
Lines 542-547 Link Here
542	<dates>	541	<dates>
543	<discovery>2020-06-25</discovery>	542	<discovery>2020-06-25</discovery>
544	<entry>2020-06-25</entry>	543	<entry>2020-06-25</entry>
		544	<modified>2023-10-11</modified>
545	</dates>	545	</dates>
546	</vuln>	546	</vuln>
547		547
Lines 550-557 Link Here
550	<affects>	550	<affects>
551	<package>	551	<package>
552	<name>glpi</name>	552	<name>glpi</name>
553	<range><gt>0.65</gt></range>	553	<range><ge>0.65</ge><lt>9.5.2</lt></range>
554	<range><lt>9.5.2</lt></range>
555	</package>	554	</package>
556	</affects>	555	</affects>
557	<description>	556	<description>
Lines 570-575 Link Here
570	<dates>	569	<dates>
571	<discovery>2020-06-25</discovery>	570	<discovery>2020-06-25</discovery>
572	<entry>2020-06-25</entry>	571	<entry>2020-06-25</entry>
		572	<modified>2023-10-11</modified>
573	</dates>	573	</dates>
574	</vuln>	574	</vuln>
575		575
Lines 578-585 Link Here
578	<affects>	578	<affects>
579	<package>	579	<package>
580	<name>glpi</name>	580	<name>glpi</name>
581	<range><gt>0.68</gt></range>	581	<range><ge>0.68</ge><lt>9.5.2</lt></range>
582	<range><lt>9.5.2</lt></range>
583	</package>	582	</package>
584	</affects>	583	</affects>
585	<description>	584	<description>
Lines 598-603 Link Here
598	<dates>	597	<dates>
599	<discovery>2020-06-25</discovery>	598	<discovery>2020-06-25</discovery>
600	<entry>2020-06-25</entry>	599	<entry>2020-06-25</entry>
		600	<modified>2023-10-11</modified>
601	</dates>	601	</dates>
602	</vuln>	602	</vuln>
603		603
Lines 606-613 Link Here
606	<affects>	606	<affects>
607	<package>	607	<package>
608	<name>glpi</name>	608	<name>glpi</name>
609	<range><gt>0.70</gt></range>	609	<range><ge>0.70</ge><lt>9.5.2</lt></range>
610	<range><lt>9.5.2</lt></range>
611	</package>	610	</package>
612	</affects>	611	</affects>
613	<description>	612	<description>
Lines 626-631 Link Here
626	<dates>	625	<dates>
627	<discovery>2020-06-25</discovery>	626	<discovery>2020-06-25</discovery>
628	<entry>2020-06-25</entry>	627	<entry>2020-06-25</entry>
		628	<modified>2023-10-11</modified>
629	</dates>	629	</dates>
630	</vuln>	630	</vuln>
631		631
Lines 634-641 Link Here
634	<affects>	634	<affects>
635	<package>	635	<package>
636	<name>glpi</name>	636	<name>glpi</name>
637	<range><gt>9.5.0</gt></range>	637	<range><ge>9.5.0</ge><lt>9.5.1</lt></range>
638	<range><lt>9.5.1</lt></range>
639	</package>	638	</package>
640	</affects>	639	</affects>
641	<description>	640	<description>
Lines 655-660 Link Here
655	<dates>	654	<dates>
656	<discovery>2020-06-25</discovery>	655	<discovery>2020-06-25</discovery>
657	<entry>2020-06-25</entry>	656	<entry>2020-06-25</entry>
		657	<modified>2023-10-11</modified>
658	</dates>	658	</dates>
659	</vuln>	659	</vuln>
660		660
Lines 663-670 Link Here
663	<affects>	663	<affects>
664	<package>	664	<package>
665	<name>glpi</name>	665	<name>glpi</name>
666	<range><gt>0.68.1</gt></range>	666	<range><ge>0.68.1</ge><lt>9.4.6</lt></range>
667	<range><lt>9.4.6</lt></range>
668	</package>	667	</package>
669	</affects>	668	</affects>
670	<description>	669	<description>
Lines 683-688 Link Here
683	<dates>	682	<dates>
684	<discovery>2020-03-30</discovery>	683	<discovery>2020-03-30</discovery>
685	<entry>2020-03-30</entry>	684	<entry>2020-03-30</entry>
		685	<modified>2023-10-11</modified>
686	</dates>	686	</dates>
687	</vuln>	687	</vuln>
688		688
Lines 746-753 Link Here
746	<affects>	746	<affects>
747	<package>	747	<package>
748	<name>glpi</name>	748	<name>glpi</name>
749	<range><gt>0.83.3</gt></range>	749	<range><ge>0.83.3</ge><lt>9.4.6</lt></range>
750	<range><lt>9.4.6</lt></range>
751	</package>	750	</package>
752	</affects>	751	</affects>
753	<description>	752	<description>
Lines 767-772 Link Here
767	<dates>	766	<dates>
768	<discovery>2020-03-30</discovery>	767	<discovery>2020-03-30</discovery>
769	<entry>2020-03-30</entry>	768	<entry>2020-03-30</entry>
		769	<modified>2023-10-11</modified>
770	</dates>	770	</dates>
771	</vuln>	771	</vuln>
772		772
Lines 803-810 Link Here
803	<affects>	803	<affects>
804	<package>	804	<package>
805	<name>glpi</name>	805	<name>glpi</name>
806	<range><gt>9.1</gt></range>	806	<range><ge>9.1</ge><lt>9.4.6</lt></range>
807	<range><lt>9.4.6</lt></range>
808	</package>	807	</package>
809	</affects>	808	</affects>
810	<description>	809	<description>
Lines 824-829 Link Here
824	<dates>	823	<dates>
825	<discovery>2020-03-30</discovery>	824	<discovery>2020-03-30</discovery>
826	<entry>2020-03-30</entry>	825	<entry>2020-03-30</entry>
		826	<modified>2023-10-11</modified>
827	</dates>	827	</dates>
828	</vuln>	828	</vuln>
829		829

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2023.xml (+555 lines)
		1	<vuln vid="10e86b16-6836-11ee-b06f-0050569ceb3a">
		2	<topic>Unallowed PHP script execution in GLPI</topic>
		3	<affects>
		4	<package>
		5	<name>glpi</name>
		6	<range><lt>10.0.10</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>From the GLPI 10.0.10 Changelog:</p>
		12	<blockquote
		13	cite="https://github.com/glpi-project/glpi/releases/tag/10.0.10">
		14	<p>You will find below security issues fixed in this bugfixes version:
		15	[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).</p>
		16	</blockquote>
		17	<p>The mentioned CVE is invalid</p>
		18	</body>
		19	</description>
		20	<references>
		21	<cvename>CVE-2023-42802</cvename>
		22	<url>https://github.com/glpi-project/glpi/releases/tag/10.0.10</url>
		23	</references>
		24	<dates>
		25	<discovery>2023-09-27</discovery>
		26	<entry>2023-10-11</entry>
		27	</dates>
		28	</vuln>
		29
		30	<vuln vid="894f2491-6834-11ee-b06f-0050569ceb3a">
		31	<topic>glpi-project -- SQL injection in ITIL actors in GLPI</topic>
		32	<affects>
		33	<package>
		34	<name>glpi</name>
		35	<range><ge>10.0.8</ge><lt>10.0.10</lt></range>
		36	</package>
		37	</affects>
		38	<description>
		39	<body xmlns="http://www.w3.org/1999/xhtml">
		40	<p>security-advisories@github.com reports:</p>
		41	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w">
		42	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
		43	Asset and IT Management Software package, that provides ITIL Service
		44	Desk features, licenses tracking and software auditing. The ITIL
		45	actors input field from the Ticket form can be used to perform a
		46	SQL injection. Users are advised to upgrade to version 10.0.10.
		47	There are no known workarounds for this vulnerability.</p>
		48	</blockquote>
		49	</body>
		50	</description>
		51	<references>
		52	<cvename>CVE-2023-42461</cvename>
		53	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-42461</url>
		54	</references>
		55	<dates>
		56	<discovery>2023-09-27</discovery>
		57	<entry>2023-10-11</entry>
		58	</dates>
		59	</vuln>
		60
		61	<vuln vid="54e5573a-6834-11ee-b06f-0050569ceb3a">
		62	<topic>Phishing through a login page malicious URL in GLPI</topic>
		63	<affects>
		64	<package>
65	<name>glpi</name>
66	<range><ge>10.0.8</ge><lt>10.0.10</lt></range>
67	</package>
68	</affects>
69	<description>
70	<body xmlns="http://www.w3.org/1999/xhtml">
71	<p>security-advisories@github.com reports:</p>
72	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp">
73	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
74	Asset and IT Management Software package, that provides ITIL Service
75	Desk features, licenses tracking and software auditing. The lack
76	of path filtering on the GLPI URL may allow an attacker to transmit
77	a malicious URL of login page that can be used to attempt a phishing
78	attack on user credentials. Users are advised to upgrade to version
79	10.0.10. There are no known workarounds for this vulnerability.</p>
80	</blockquote>
81	</body>
82	</description>
83	<references>
84	<cvename>CVE-2023-41888</cvename>
85	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41888</url>
86	</references>
87	<dates>
88	<discovery>2023-09-27</discovery>
89	<entry>2023-10-11</entry>
90	</dates>
91	</vuln>
92
93	<vuln vid="20302cbc-6834-11ee-b06f-0050569ceb3a">
94	<topic>Users login enumeration by unauthenticated user in GLPI</topic>
95	<affects>
96	<package>
97	<name>glpi</name>
98	<range><ge>0.68</ge><lt>10.0.10</lt></range>
99	</package>
100	</affects>
101	<description>
102	<body xmlns="http://www.w3.org/1999/xhtml">
103	<p>security-advisories@github.com reports:</p>
104	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9">
105	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
106	Asset and IT Management Software package, that provides ITIL Service
107	Desk features, licenses tracking and software auditing. An
108	unauthenticated user can enumerate users logins. Users are advised
109	to upgrade to version 10.0.10. There are no known workarounds for
110	this vulnerability.</p>
111	</blockquote>
112	</body>
113	</description>
114	<references>
115	<cvename>CVE-2023-41323</cvename>
116	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41323</url>
117	</references>
118	<dates>
119	<discovery>2023-09-27</discovery>
120	<entry>2023-10-11</entry>
121	</dates>
122	</vuln>
123
124	<vuln vid="ae8b1445-6833-11ee-b06f-0050569ceb3a">
125	<topic>Privilege Escalation from technician to super-admin in GLPI</topic>
126	<affects>
127	<package>
128	<name>glpi</name>
129	<range><ge>9.1.0</ge><lt>10.0.10</lt></range>
130	</package>
131	</affects>
132	<description>
133	<body xmlns="http://www.w3.org/1999/xhtml">
134	<p>security-advisories@github.com reports:</p>
135	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr">
136	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
137	Asset and IT Management Software package, that provides ITIL Service
138	Desk features, licenses tracking and software auditing. A user
139	with write access to another user can make requests to change the
140	latter's password and then take control of their account.
141	Users are advised to upgrade to version 10.0.10. There are no known
142	work around for this vulnerability.</p>
143	</blockquote>
144	</body>
145	</description>
146	<references>
147	<cvename>CVE-2023-41322</cvename>
148	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41322</url>
149	</references>
150	<dates>
151	<discovery>2023-09-27</discovery>
152	<entry>2023-10-11</entry>
153	</dates>
154	</vuln>
155
156	<vuln vid="6851f3bb-6833-11ee-b06f-0050569ceb3a">
157	<topic>Sensitive fields enumeration through API in GLPI</topic>
158	<affects>
159	<package>
160	<name>glpi</name>
161	<range><ge>9.1.1</ge><lt>10.0.10</lt></range>
162	</package>
163	</affects>
164	<description>
165	<body xmlns="http://www.w3.org/1999/xhtml">
166	<p>security-advisories@github.com reports:</p>
167	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836">
168	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
169	Asset and IT Management Software package, that provides ITIL Service
170	Desk features, licenses tracking and software auditing. An API
171	user can enumerate sensitive fields values on resources on which
172	he has read access. Users are advised to upgrade to version 10.0.10.
173	There are no known workarounds for this vulnerability.</p>
174	</blockquote>
175	</body>
176	</description>
177	<references>
178	<cvename>CVE-2023-41321</cvename>
179	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41321</url>
180	</references>
181	<dates>
182	<discovery>2023-09-27</discovery>
183	<entry>2023-10-11</entry>
184	</dates>
185	</vuln>
186
187	<vuln vid="df71f5aa-6831-11ee-b06f-0050569ceb3a">
188	<topic>File deletion through document upload process in GLPI</topic>
189	<affects>
190	<package>
191	<name>glpi</name>
192	<range><ge>10.0.0</ge><lt>10.0.10</lt></range>
193	</package>
194	</affects>
195	<description>
196	<body xmlns="http://www.w3.org/1999/xhtml">
197	<p>security-advisories@github.com reports:</p>
198	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75">
199	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
200	Asset and IT Management Software package, that provides ITIL Service
201	Desk features, licenses tracking and software auditing. The document
202	upload process can be diverted to delete some files. Users are
203	advised to upgrade to version 10.0.10. There are no known workarounds
204	for this vulnerability.</p>
205	</blockquote>
206	</body>
207	</description>
208	<references>
209	<cvename>CVE-2023-42462</cvename>
210	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-42462</url>
211	</references>
212	<dates>
213	<discovery>2023-09-27</discovery>
214	<entry>2023-10-11</entry>
215	</dates>
216	</vuln>
217
218	<vuln vid="95c4ec45-6831-11ee-b06f-0050569ceb3a">
219	<topic>Account takeover through API in GLPI</topic>
220	<affects>
221	<package>
222	<name>glpi</name>
223	<range><ge>9.3.0</ge><lt>10.0.10</lt></range>
224	</package>
225	</affects>
226	<description>
227	<body xmlns="http://www.w3.org/1999/xhtml">
228	<p>security-advisories@github.com reports:</p>
229	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3">
230	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
231	Asset and IT Management Software package, that provides ITIL Service
232	Desk features, licenses tracking and software auditing. An API
233	user that have read access on users resource can steal accounts of
234	other users. Users are advised to upgrade to version 10.0.10.
235	There are no known workarounds for this vulnerability.</p>
236	</blockquote>
237	</body>
238	</description>
239	<references>
240	<cvename>CVE-2023-41324</cvename>
241	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41324</url>
242	</references>
243	<dates>
244	<discovery>2023-09-27</discovery>
245	<entry>2023-10-11</entry>
246	</dates>
247	</vuln>
248
249	<vuln vid="040e69f1-6831-11ee-b06f-0050569ceb3a">
250	<topic>Account takeover via Kanban feature in GLPI</topic>
251	<affects>
252	<package>
253	<name>glpi</name>
254	<range><ge>9.5.0</ge><lt>10.0.10</lt></range>
255	</package>
256	</affects>
257	<description>
258	<body xmlns="http://www.w3.org/1999/xhtml">
259	<p>security-advisories@github.com reports:</p>
260	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9">
261	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
262	Asset and IT Management Software package, that provides ITIL Service
263	Desk features, licenses tracking and software auditing. A logged
264	user from any profile can hijack the Kanban feature to alter any
265	user field, and end-up with stealing its account. Users are advised
266	to upgrade to version 10.0.10. There are no known workarounds for
267	this vulnerability.</p>
268	</blockquote>
269	</body>
270	</description>
271	<references>
272	<cvename>CVE-2023-41326</cvename>
273	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41326</url>
274	</references>
275	<dates>
276	<discovery>2023-09-27</discovery>
277	<entry>2023-10-11</entry>
278	</dates>
279	</vuln>
280
281	<vuln vid="6f6518ab-6830-11ee-b06f-0050569ceb3a">
282	<topic>Account takeover via SQL Injection in UI layout preferences in GLPI</topic>
283	<affects>
284	<package>
285	<name>glpi</name>
286	<range><ge>10.0.0</ge><lt>10.0.10</lt></range>
287	</package>
288	</affects>
289	<description>
290	<body xmlns="http://www.w3.org/1999/xhtml">
291	<p>security-advisories@github.com reports:</p>
292	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-mv2r-gpw3-g476">
293	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
294	Asset and IT Management Software package, that provides ITIL Service
295	Desk features, licenses tracking and software auditing. UI layout
296	preferences management can be hijacked to lead to SQL injection.
297	This injection can be use to takeover an administrator account.
298	Users are advised to upgrade to version 10.0.10. There are no known
299	workarounds for this vulnerability.</p>
300	</blockquote>
301	</body>
302	</description>
303	<references>
304	<cvename>CVE-2023-41320</cvename>
305	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41320</url>
306	</references>
307	<dates>
308	<discovery>2023-09-27</discovery>
309	<entry>2023-10-11</entry>
310	</dates>
311	</vuln>
312
313	<vuln vid="257e1bf0-682f-11ee-b06f-0050569ceb3a">
314	<topic>GLPI vulnerable to SQL injection via dashboard administration</topic>
315	<affects>
316	<package>
317	<name>glpi</name>
318	<range><ge>9.5.0</ge><lt>10.0.9</lt></range>
319	</package>
320	</affects>
321	<description>
322	<body xmlns="http://www.w3.org/1999/xhtml">
323	<p>security-advisories@github.com reports:</p>
324	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.9">
325	<p>GLPI is a Free Asset and IT Management Software package, Data center
326	management, ITIL Service Desk, licenses tracking and software
327	auditing. An administrator can trigger SQL injection via dashboards
328	administration. This vulnerability has been patched in version
329	10.0.9.
330	</p>
331	</blockquote>
332	</body>
333	</description>
334	<references>
335	<cvename>CVE-2023-37278</cvename>
336	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-37278</url>
337	</references>
338	<dates>
339	<discovery>2023-07-13</discovery>
340	<entry>2023-10-11</entry>
341	</dates>
342	</vuln>
343
344	<vuln vid="40173815-6827-11ee-b06f-0050569ceb3a">
345	<topic>GLPI vulnerable to unauthorized access to User data</topic>
346	<affects>
347	<package>
348	<name>glpi</name>
349	<range><ge>0.68</ge><lt>10.0.8</lt></range>
350	</package>
351	</affects>
352	<description>
353	<body xmlns="http://www.w3.org/1999/xhtml">
354	<p>security-advisories@github.com reports:</p>
355	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
356	<p>GLPI is a free asset and IT management software package. Versions
357	of the software starting with 0.68 and prior to 10.0.8 have an
358	incorrect rights check on a on a file accessible by an authenticated
359	user. This allows access to the list of all users and their personal
360	information. Users should upgrade to version 10.0.8 to receive a
361	patch.</p>
362	</blockquote>
363	</body>
364	</description>
365	<references>
366	<cvename>CVE-2023-34106</cvename>
367	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34106</url>
368	</references>
369	<dates>
370	<discovery>2023-07-05</discovery>
371	<entry>2023-10-11</entry>
372	</dates>
373	</vuln>
374
375	<vuln vid="1fe40200-6823-11ee-b06f-0050569ceb3a">
376	<topic>GLPI vulnerable to unauthorized access to KnowbaseItem data</topic>
377	<affects>
378	<package>
379	<name>glpi</name>
380	<range><ge>9.2.0</ge><lt>10.0.8</lt></range>
381	</package>
382	</affects>
383	<description>
384	<body xmlns="http://www.w3.org/1999/xhtml">
385	<p>security-advisories@github.com reports:</p>
386	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
387	<p>GLPI is a free asset and IT management software package. Versions
388	of the software starting with 9.2.0 and prior to 10.0.8 have an
389	incorrect rights check on a on a file accessible by an authenticated
390	user, allows access to the view all KnowbaseItems. Version 10.0.8
391	has a patch for this issue.</p>
392	</blockquote>
393	</body>
394	</description>
395	<references>
396	<cvename>CVE-2023-34107</cvename>
397	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34107</url>
398	</references>
399	<dates>
400	<discovery>2023-07-05</discovery>
401	<entry>2023-10-11</entry>
402	</dates>
403	</vuln>
404
405	<vuln vid="b14a6ddc-6821-11ee-b06f-0050569ceb3a">
406	<topic>GLPI vulnerable to reflected XSS in search pages</topic>
407	<affects>
408	<package>
409	<name>glpi</name>
410	<range><ge>9.4.0</ge><lt>10.0.8</lt></range>
411	</package>
412	</affects>
413	<description>
414	<body xmlns="http://www.w3.org/1999/xhtml">
415	<p>security-advisories@github.com reports:</p>
416	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
417	<p>GLPI is a free asset and IT management software package. Starting
418	in version 9.4.0 and prior to version 10.0.8, a malicious link can
419	be crafted by an unauthenticated user that can exploit a reflected
420	XSS in case any authenticated user opens the crafted link. Users
421	should upgrade to version 10.0.8 to receive a patch.</p>
422	</blockquote>
423	</body>
424	</description>
425	<references>
426	<cvename>CVE-2023-34244</cvename>
427	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34244</url>
428	</references>
429	<dates>
430	<discovery>2023-07-05</discovery>
431	<entry>2023-10-11</entry>
432	</dates>
433	</vuln>
434
435	<vuln vid="95fde6bc-6821-11ee-b06f-0050569ceb3a">
436	<topic>GLPI vulnerable to unauthenticated access to Dashboard data</topic>
437	<affects>
438	<package>
439	<name>glpi</name>
440	<range><ge>9.5.0</ge><lt>10.0.8</lt></range>
441	</package>
442	</affects>
443	<description>
444	<body xmlns="http://www.w3.org/1999/xhtml">
445	<p>security-advisories@github.com reports:</p>
446	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
447	<p>GLPI is a free asset and IT management software package. Starting
448	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
449	check on a file allows an unauthenticated user to be able to access
450	dashboards data. Version 10.0.8 contains a patch for this issue.</p>
451	</blockquote>
452	</body>
453	</description>
454	<references>
455	<cvename>CVE-2023-35940</cvename>
456	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35940</url>
457	</references>
458	<dates>
459	<discovery>2023-07-05</discovery>
460	<entry>2023-10-11</entry>
461	</dates>
462	</vuln>
463
464	<vuln vid="717efd8a-6821-11ee-b06f-0050569ceb3a">
465	<topic>GLPI vulnerable to unauthorized access to Dashboard data</topic>
466	<affects>
467	<package>
468	<name>glpi</name>
469	<range><ge>9.5.0</ge><lt>10.0.8</lt></range>
470	</package>
471	</affects>
472	<description>
473	<body xmlns="http://www.w3.org/1999/xhtml">
474	<p>security-advisories@github.com reports:</p>
475	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
476	<p>GLPI is a free asset and IT management software package. Starting
477	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
478	check on a on a file accessible by an authenticated user (or not
479	for certain actions), allows a threat actor to interact, modify,
480	or see Dashboard data. Version 10.0.8 contains a patch for this
481	issue.</p>
482	</blockquote>
483	</body>
484	</description>
485	<references>
486	<cvename>CVE-2023-35939</cvename>
487	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35939</url>
488	</references>
489	<dates>
490	<discovery>2023-07-05</discovery>
491	<entry>2023-10-11</entry>
492	</dates>
493	</vuln>
494
495	<vuln vid="548a4163-6821-11ee-b06f-0050569ceb3a">
496	<topic>GLPI vulnerable to SQL injection through Computer Virtual Machine information</topic>
497	<affects>
498	<package>
499	<name>glpi</name>
500	<range><ge>0.80</ge><lt>10.0.8</lt></range>
501	</package>
502	</affects>
503	<description>
504	<body xmlns="http://www.w3.org/1999/xhtml">
505	<p>security-advisories@github.com reports:</p>
506	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
507	<p>GLPI is a free asset and IT management software package. Starting
508	in version 0.80 and prior to version 10.0.8, Computer Virtual Machine
509	form and GLPI inventory request can be used to perform a SQL injection
510	attack. Version 10.0.8 has a patch for this issue. As a workaround,
511	one may disable native inventory.</p>
512	</blockquote>
513	</body>
514	</description>
515	<references>
516	<cvename>CVE-2023-36808</cvename>
517	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-36808</url>
518	</references>
519	<dates>
520	<discovery>2023-07-05</discovery>
521	<entry>2023-10-11</entry>
522	</dates>
523	</vuln>
524
525	<vuln vid="e44e5ace-6820-11ee-b06f-0050569ceb3a">
526	<topic>GLPI vulnerable to SQL injection via inventory agent request</topic>
527	<affects>
528	<package>
529	<name>glpi</name>
530	<range><ge>10.0.0</ge><lt>10.0.8</lt></range>
531	</package>
532	</affects>
533	<description>
534	<body xmlns="http://www.w3.org/1999/xhtml">
535	<p>security-advisories@github.com reports:</p>
536	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
537	<p>GLPI is a free asset and IT management software package. Starting
538	in version 10.0.0 and prior to version 10.0.8, GLPI inventory
539	endpoint can be used to drive a SQL injection attack. By default,
540	GLPI inventory endpoint requires no authentication. Version 10.0.8
541	has a patch for this issue. As a workaround, one may disable native
542	inventory.</p>
543	</blockquote>
544	</body>
545	</description>
546	<references>
547	<cvename>CVE-2023-35924</cvename>
548	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35924</url>
549	</references>
550	<dates>
551	<discovery>2023-07-05</discovery>
552	<entry>2023-10-11</entry>
553	</dates>
554	</vuln>
555
1	<vuln vid="4f254817-6318-11ee-b2ff-080027de9982">	556	<vuln vid="4f254817-6318-11ee-b2ff-080027de9982">
2	<topic>Django -- multiple vulnerabilities</topic>	557	<topic>Django -- multiple vulnerabilities</topic>
3	<affects>	558	<affects>