Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="10e86b16-6836-11ee-b06f-0050569ceb3a"> |
2 |
<topic>Unallowed PHP script execution in GLPI</topic> |
3 |
<affects> |
4 |
<package> |
5 |
<name>glpi</name> |
6 |
<range><lt>10.0.10,1</lt></range> |
7 |
</package> |
8 |
</affects> |
9 |
<description> |
10 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
11 |
<p>From the GLPI 10.0.10 Changelog:</p> |
12 |
<blockquote |
13 |
cite="https://github.com/glpi-project/glpi/releases/tag/10.0.10"> |
14 |
<p>You will find below security issues fixed in this bugfixes version: |
15 |
[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).</p> |
16 |
</blockquote> |
17 |
<p>The mentioned CVE is invalid</p> |
18 |
</body> |
19 |
</description> |
20 |
<references> |
21 |
<cvename>CVE-2023-42802</cvename> |
22 |
<url>https://github.com/glpi-project/glpi/releases/tag/10.0.10</url> |
23 |
</references> |
24 |
<dates> |
25 |
<discovery>2023-09-27</discovery> |
26 |
<entry>2023-10-11</entry> |
27 |
</dates> |
28 |
</vuln> |
29 |
|
30 |
<vuln vid="894f2491-6834-11ee-b06f-0050569ceb3a"> |
31 |
<topic>glpi-project -- SQL injection in ITIL actors in GLPI</topic> |
32 |
<affects> |
33 |
<package> |
34 |
<name>glpi</name> |
35 |
<range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range> |
36 |
</package> |
37 |
</affects> |
38 |
<description> |
39 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
40 |
<p>security-advisories@github.com reports:</p> |
41 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w"> |
42 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
43 |
Asset and IT Management Software package, that provides ITIL Service |
44 |
Desk features, licenses tracking and software auditing. The ITIL |
45 |
actors input field from the Ticket form can be used to perform a |
46 |
SQL injection. Users are advised to upgrade to version 10.0.10. |
47 |
There are no known workarounds for this vulnerability.</p> |
48 |
</blockquote> |
49 |
</body> |
50 |
</description> |
51 |
<references> |
52 |
<cvename>CVE-2023-42461</cvename> |
53 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-42461</url> |
54 |
</references> |
55 |
<dates> |
56 |
<discovery>2023-09-27</discovery> |
57 |
<entry>2023-10-11</entry> |
58 |
</dates> |
59 |
</vuln> |
60 |
|
61 |
<vuln vid="54e5573a-6834-11ee-b06f-0050569ceb3a"> |
62 |
<topic>Phishing through a login page malicious URL in GLPI</topic> |
63 |
<affects> |
64 |
<package> |
65 |
<name>glpi</name> |
66 |
<range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range> |
67 |
</package> |
68 |
</affects> |
69 |
<description> |
70 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
71 |
<p>security-advisories@github.com reports:</p> |
72 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp"> |
73 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
74 |
Asset and IT Management Software package, that provides ITIL Service |
75 |
Desk features, licenses tracking and software auditing. The lack |
76 |
of path filtering on the GLPI URL may allow an attacker to transmit |
77 |
a malicious URL of login page that can be used to attempt a phishing |
78 |
attack on user credentials. Users are advised to upgrade to version |
79 |
10.0.10. There are no known workarounds for this vulnerability.</p> |
80 |
</blockquote> |
81 |
</body> |
82 |
</description> |
83 |
<references> |
84 |
<cvename>CVE-2023-41888</cvename> |
85 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41888</url> |
86 |
</references> |
87 |
<dates> |
88 |
<discovery>2023-09-27</discovery> |
89 |
<entry>2023-10-11</entry> |
90 |
</dates> |
91 |
</vuln> |
92 |
|
93 |
<vuln vid="20302cbc-6834-11ee-b06f-0050569ceb3a"> |
94 |
<topic>Users login enumeration by unauthenticated user in GLPI</topic> |
95 |
<affects> |
96 |
<package> |
97 |
<name>glpi</name> |
98 |
<range><lt>10.0.10,1</lt></range> |
99 |
</package> |
100 |
</affects> |
101 |
<description> |
102 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
103 |
<p>security-advisories@github.com reports:</p> |
104 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9"> |
105 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
106 |
Asset and IT Management Software package, that provides ITIL Service |
107 |
Desk features, licenses tracking and software auditing. An |
108 |
unauthenticated user can enumerate users logins. Users are advised |
109 |
to upgrade to version 10.0.10. There are no known workarounds for |
110 |
this vulnerability.</p> |
111 |
</blockquote> |
112 |
</body> |
113 |
</description> |
114 |
<references> |
115 |
<cvename>CVE-2023-41323</cvename> |
116 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41323</url> |
117 |
</references> |
118 |
<dates> |
119 |
<discovery>2023-09-27</discovery> |
120 |
<entry>2023-10-11</entry> |
121 |
</dates> |
122 |
</vuln> |
123 |
|
124 |
<vuln vid="ae8b1445-6833-11ee-b06f-0050569ceb3a"> |
125 |
<topic>Privilege Escalation from technician to super-admin in GLPI</topic> |
126 |
<affects> |
127 |
<package> |
128 |
<name>glpi</name> |
129 |
<range><ge>9.1.0,1</ge><lt>10.0.10,1</lt></range> |
130 |
</package> |
131 |
</affects> |
132 |
<description> |
133 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
134 |
<p>security-advisories@github.com reports:</p> |
135 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr"> |
136 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
137 |
Asset and IT Management Software package, that provides ITIL Service |
138 |
Desk features, licenses tracking and software auditing. A user |
139 |
with write access to another user can make requests to change the |
140 |
latter's password and then take control of their account. |
141 |
Users are advised to upgrade to version 10.0.10. There are no known |
142 |
work around for this vulnerability.</p> |
143 |
</blockquote> |
144 |
</body> |
145 |
</description> |
146 |
<references> |
147 |
<cvename>CVE-2023-41322</cvename> |
148 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41322</url> |
149 |
</references> |
150 |
<dates> |
151 |
<discovery>2023-09-27</discovery> |
152 |
<entry>2023-10-11</entry> |
153 |
</dates> |
154 |
</vuln> |
155 |
|
156 |
<vuln vid="6851f3bb-6833-11ee-b06f-0050569ceb3a"> |
157 |
<topic>Sensitive fields enumeration through API in GLPI</topic> |
158 |
<affects> |
159 |
<package> |
160 |
<name>glpi</name> |
161 |
<range><ge>9.1.1,1</ge><lt>10.0.10,1</lt></range> |
162 |
</package> |
163 |
</affects> |
164 |
<description> |
165 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
166 |
<p>security-advisories@github.com reports:</p> |
167 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836"> |
168 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
169 |
Asset and IT Management Software package, that provides ITIL Service |
170 |
Desk features, licenses tracking and software auditing. An API |
171 |
user can enumerate sensitive fields values on resources on which |
172 |
he has read access. Users are advised to upgrade to version 10.0.10. |
173 |
There are no known workarounds for this vulnerability.</p> |
174 |
</blockquote> |
175 |
</body> |
176 |
</description> |
177 |
<references> |
178 |
<cvename>CVE-2023-41321</cvename> |
179 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41321</url> |
180 |
</references> |
181 |
<dates> |
182 |
<discovery>2023-09-27</discovery> |
183 |
<entry>2023-10-11</entry> |
184 |
</dates> |
185 |
</vuln> |
186 |
|
187 |
<vuln vid="df71f5aa-6831-11ee-b06f-0050569ceb3a"> |
188 |
<topic>File deletion through document upload process in GLPI</topic> |
189 |
<affects> |
190 |
<package> |
191 |
<name>glpi</name> |
192 |
<range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range> |
193 |
</package> |
194 |
</affects> |
195 |
<description> |
196 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
197 |
<p>security-advisories@github.com reports:</p> |
198 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75"> |
199 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
200 |
Asset and IT Management Software package, that provides ITIL Service |
201 |
Desk features, licenses tracking and software auditing. The document |
202 |
upload process can be diverted to delete some files. Users are |
203 |
advised to upgrade to version 10.0.10. There are no known workarounds |
204 |
for this vulnerability.</p> |
205 |
</blockquote> |
206 |
</body> |
207 |
</description> |
208 |
<references> |
209 |
<cvename>CVE-2023-42462</cvename> |
210 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-42462</url> |
211 |
</references> |
212 |
<dates> |
213 |
<discovery>2023-09-27</discovery> |
214 |
<entry>2023-10-11</entry> |
215 |
</dates> |
216 |
</vuln> |
217 |
|
218 |
<vuln vid="95c4ec45-6831-11ee-b06f-0050569ceb3a"> |
219 |
<topic>Account takeover through API in GLPI</topic> |
220 |
<affects> |
221 |
<package> |
222 |
<name>glpi</name> |
223 |
<range><ge>9.3.0,1</ge><lt>10.0.10,1</lt></range> |
224 |
</package> |
225 |
</affects> |
226 |
<description> |
227 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
228 |
<p>security-advisories@github.com reports:</p> |
229 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3"> |
230 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
231 |
Asset and IT Management Software package, that provides ITIL Service |
232 |
Desk features, licenses tracking and software auditing. An API |
233 |
user that have read access on users resource can steal accounts of |
234 |
other users. Users are advised to upgrade to version 10.0.10. |
235 |
There are no known workarounds for this vulnerability.</p> |
236 |
</blockquote> |
237 |
</body> |
238 |
</description> |
239 |
<references> |
240 |
<cvename>CVE-2023-41324</cvename> |
241 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41324</url> |
242 |
</references> |
243 |
<dates> |
244 |
<discovery>2023-09-27</discovery> |
245 |
<entry>2023-10-11</entry> |
246 |
</dates> |
247 |
</vuln> |
248 |
|
249 |
<vuln vid="040e69f1-6831-11ee-b06f-0050569ceb3a"> |
250 |
<topic>Account takeover via Kanban feature in GLPI</topic> |
251 |
<affects> |
252 |
<package> |
253 |
<name>glpi</name> |
254 |
<range><ge>9.5.0,1</ge><lt>10.0.10,1</lt></range> |
255 |
</package> |
256 |
</affects> |
257 |
<description> |
258 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
259 |
<p>security-advisories@github.com reports:</p> |
260 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9"> |
261 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
262 |
Asset and IT Management Software package, that provides ITIL Service |
263 |
Desk features, licenses tracking and software auditing. A logged |
264 |
user from any profile can hijack the Kanban feature to alter any |
265 |
user field, and end-up with stealing its account. Users are advised |
266 |
to upgrade to version 10.0.10. There are no known workarounds for |
267 |
this vulnerability.</p> |
268 |
</blockquote> |
269 |
</body> |
270 |
</description> |
271 |
<references> |
272 |
<cvename>CVE-2023-41326</cvename> |
273 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41326</url> |
274 |
</references> |
275 |
<dates> |
276 |
<discovery>2023-09-27</discovery> |
277 |
<entry>2023-10-11</entry> |
278 |
</dates> |
279 |
</vuln> |
280 |
|
281 |
<vuln vid="6f6518ab-6830-11ee-b06f-0050569ceb3a"> |
282 |
<topic>Account takeover via SQL Injection in UI layout preferences in GLPI</topic> |
283 |
<affects> |
284 |
<package> |
285 |
<name>glpi</name> |
286 |
<range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range> |
287 |
</package> |
288 |
</affects> |
289 |
<description> |
290 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
291 |
<p>security-advisories@github.com reports:</p> |
292 |
<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-mv2r-gpw3-g476"> |
293 |
<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free |
294 |
Asset and IT Management Software package, that provides ITIL Service |
295 |
Desk features, licenses tracking and software auditing. UI layout |
296 |
preferences management can be hijacked to lead to SQL injection. |
297 |
This injection can be use to takeover an administrator account. |
298 |
Users are advised to upgrade to version 10.0.10. There are no known |
299 |
workarounds for this vulnerability.</p> |
300 |
</blockquote> |
301 |
</body> |
302 |
</description> |
303 |
<references> |
304 |
<cvename>CVE-2023-41320</cvename> |
305 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41320</url> |
306 |
</references> |
307 |
<dates> |
308 |
<discovery>2023-09-27</discovery> |
309 |
<entry>2023-10-11</entry> |
310 |
</dates> |
311 |
</vuln> |
312 |
|
313 |
<vuln vid="257e1bf0-682f-11ee-b06f-0050569ceb3a"> |
314 |
<topic>GLPI vulnerable to SQL injection via dashboard administration</topic> |
315 |
<affects> |
316 |
<package> |
317 |
<name>glpi</name> |
318 |
<range><ge>9.5.0,1</ge><lt>10.0.9,1</lt></range> |
319 |
</package> |
320 |
</affects> |
321 |
<description> |
322 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
323 |
<p>security-advisories@github.com reports:</p> |
324 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.9"> |
325 |
<p>GLPI is a Free Asset and IT Management Software package, Data center |
326 |
management, ITIL Service Desk, licenses tracking and software |
327 |
auditing. An administrator can trigger SQL injection via dashboards |
328 |
administration. This vulnerability has been patched in version |
329 |
10.0.9. |
330 |
</p> |
331 |
</blockquote> |
332 |
</body> |
333 |
</description> |
334 |
<references> |
335 |
<cvename>CVE-2023-37278</cvename> |
336 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-37278</url> |
337 |
</references> |
338 |
<dates> |
339 |
<discovery>2023-07-13</discovery> |
340 |
<entry>2023-10-11</entry> |
341 |
</dates> |
342 |
</vuln> |
343 |
|
344 |
<vuln vid="40173815-6827-11ee-b06f-0050569ceb3a"> |
345 |
<topic>GLPI vulnerable to unauthorized access to User data</topic> |
346 |
<affects> |
347 |
<package> |
348 |
<name>glpi</name> |
349 |
<range><lt>10.0.8,1</lt></range> |
350 |
</package> |
351 |
</affects> |
352 |
<description> |
353 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
354 |
<p>security-advisories@github.com reports:</p> |
355 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
356 |
<p>GLPI is a free asset and IT management software package. Versions |
357 |
of the software starting with 0.68 and prior to 10.0.8 have an |
358 |
incorrect rights check on a on a file accessible by an authenticated |
359 |
user. This allows access to the list of all users and their personal |
360 |
information. Users should upgrade to version 10.0.8 to receive a |
361 |
patch.</p> |
362 |
</blockquote> |
363 |
</body> |
364 |
</description> |
365 |
<references> |
366 |
<cvename>CVE-2023-34106</cvename> |
367 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34106</url> |
368 |
</references> |
369 |
<dates> |
370 |
<discovery>2023-07-05</discovery> |
371 |
<entry>2023-10-11</entry> |
372 |
</dates> |
373 |
</vuln> |
374 |
|
375 |
<vuln vid="1fe40200-6823-11ee-b06f-0050569ceb3a"> |
376 |
<topic>GLPI vulnerable to unauthorized access to KnowbaseItem data</topic> |
377 |
<affects> |
378 |
<package> |
379 |
<name>glpi</name> |
380 |
<range><ge>9.2.0,1</ge><lt>10.0.8,1</lt></range> |
381 |
</package> |
382 |
</affects> |
383 |
<description> |
384 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
385 |
<p>security-advisories@github.com reports:</p> |
386 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
387 |
<p>GLPI is a free asset and IT management software package. Versions |
388 |
of the software starting with 9.2.0 and prior to 10.0.8 have an |
389 |
incorrect rights check on a on a file accessible by an authenticated |
390 |
user, allows access to the view all KnowbaseItems. Version 10.0.8 |
391 |
has a patch for this issue.</p> |
392 |
</blockquote> |
393 |
</body> |
394 |
</description> |
395 |
<references> |
396 |
<cvename>CVE-2023-34107</cvename> |
397 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34107</url> |
398 |
</references> |
399 |
<dates> |
400 |
<discovery>2023-07-05</discovery> |
401 |
<entry>2023-10-11</entry> |
402 |
</dates> |
403 |
</vuln> |
404 |
|
405 |
<vuln vid="b14a6ddc-6821-11ee-b06f-0050569ceb3a"> |
406 |
<topic>GLPI vulnerable to reflected XSS in search pages</topic> |
407 |
<affects> |
408 |
<package> |
409 |
<name>glpi</name> |
410 |
<range><ge>9.4.0,1</ge><lt>10.0.8,1</lt></range> |
411 |
</package> |
412 |
</affects> |
413 |
<description> |
414 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
415 |
<p>security-advisories@github.com reports:</p> |
416 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
417 |
<p>GLPI is a free asset and IT management software package. Starting |
418 |
in version 9.4.0 and prior to version 10.0.8, a malicious link can |
419 |
be crafted by an unauthenticated user that can exploit a reflected |
420 |
XSS in case any authenticated user opens the crafted link. Users |
421 |
should upgrade to version 10.0.8 to receive a patch.</p> |
422 |
</blockquote> |
423 |
</body> |
424 |
</description> |
425 |
<references> |
426 |
<cvename>CVE-2023-34244</cvename> |
427 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34244</url> |
428 |
</references> |
429 |
<dates> |
430 |
<discovery>2023-07-05</discovery> |
431 |
<entry>2023-10-11</entry> |
432 |
</dates> |
433 |
</vuln> |
434 |
|
435 |
<vuln vid="95fde6bc-6821-11ee-b06f-0050569ceb3a"> |
436 |
<topic>GLPI vulnerable to unauthenticated access to Dashboard data</topic> |
437 |
<affects> |
438 |
<package> |
439 |
<name>glpi</name> |
440 |
<range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range> |
441 |
</package> |
442 |
</affects> |
443 |
<description> |
444 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
445 |
<p>security-advisories@github.com reports:</p> |
446 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
447 |
<p>GLPI is a free asset and IT management software package. Starting |
448 |
in version 9.5.0 and prior to version 10.0.8, an incorrect rights |
449 |
check on a file allows an unauthenticated user to be able to access |
450 |
dashboards data. Version 10.0.8 contains a patch for this issue.</p> |
451 |
</blockquote> |
452 |
</body> |
453 |
</description> |
454 |
<references> |
455 |
<cvename>CVE-2023-35940</cvename> |
456 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35940</url> |
457 |
</references> |
458 |
<dates> |
459 |
<discovery>2023-07-05</discovery> |
460 |
<entry>2023-10-11</entry> |
461 |
</dates> |
462 |
</vuln> |
463 |
|
464 |
<vuln vid="717efd8a-6821-11ee-b06f-0050569ceb3a"> |
465 |
<topic>GLPI vulnerable to unauthorized access to Dashboard data</topic> |
466 |
<affects> |
467 |
<package> |
468 |
<name>glpi</name> |
469 |
<range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range> |
470 |
</package> |
471 |
</affects> |
472 |
<description> |
473 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
474 |
<p>security-advisories@github.com reports:</p> |
475 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
476 |
<p>GLPI is a free asset and IT management software package. Starting |
477 |
in version 9.5.0 and prior to version 10.0.8, an incorrect rights |
478 |
check on a on a file accessible by an authenticated user (or not |
479 |
for certain actions), allows a threat actor to interact, modify, |
480 |
or see Dashboard data. Version 10.0.8 contains a patch for this |
481 |
issue.</p> |
482 |
</blockquote> |
483 |
</body> |
484 |
</description> |
485 |
<references> |
486 |
<cvename>CVE-2023-35939</cvename> |
487 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35939</url> |
488 |
</references> |
489 |
<dates> |
490 |
<discovery>2023-07-05</discovery> |
491 |
<entry>2023-10-11</entry> |
492 |
</dates> |
493 |
</vuln> |
494 |
|
495 |
<vuln vid="548a4163-6821-11ee-b06f-0050569ceb3a"> |
496 |
<topic>GLPI vulnerable to SQL injection through Computer Virtual Machine information</topic> |
497 |
<affects> |
498 |
<package> |
499 |
<name>glpi</name> |
500 |
<range><lt>10.0.8,1</lt></range> |
501 |
</package> |
502 |
</affects> |
503 |
<description> |
504 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
505 |
<p>security-advisories@github.com reports:</p> |
506 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
507 |
<p>GLPI is a free asset and IT management software package. Starting |
508 |
in version 0.80 and prior to version 10.0.8, Computer Virtual Machine |
509 |
form and GLPI inventory request can be used to perform a SQL injection |
510 |
attack. Version 10.0.8 has a patch for this issue. As a workaround, |
511 |
one may disable native inventory.</p> |
512 |
</blockquote> |
513 |
</body> |
514 |
</description> |
515 |
<references> |
516 |
<cvename>CVE-2023-36808</cvename> |
517 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-36808</url> |
518 |
</references> |
519 |
<dates> |
520 |
<discovery>2023-07-05</discovery> |
521 |
<entry>2023-10-11</entry> |
522 |
</dates> |
523 |
</vuln> |
524 |
|
525 |
<vuln vid="e44e5ace-6820-11ee-b06f-0050569ceb3a"> |
526 |
<topic>GLPI vulnerable to SQL injection via inventory agent request</topic> |
527 |
<affects> |
528 |
<package> |
529 |
<name>glpi</name> |
530 |
<range><ge>10.0.0,1</ge><lt>10.0.8,1</lt></range> |
531 |
</package> |
532 |
</affects> |
533 |
<description> |
534 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
535 |
<p>security-advisories@github.com reports:</p> |
536 |
<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> |
537 |
<p>GLPI is a free asset and IT management software package. Starting |
538 |
in version 10.0.0 and prior to version 10.0.8, GLPI inventory |
539 |
endpoint can be used to drive a SQL injection attack. By default, |
540 |
GLPI inventory endpoint requires no authentication. Version 10.0.8 |
541 |
has a patch for this issue. As a workaround, one may disable native |
542 |
inventory.</p> |
543 |
</blockquote> |
544 |
</body> |
545 |
</description> |
546 |
<references> |
547 |
<cvename>CVE-2023-35924</cvename> |
548 |
<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35924</url> |
549 |
</references> |
550 |
<dates> |
551 |
<discovery>2023-07-05</discovery> |
552 |
<entry>2023-10-11</entry> |
553 |
</dates> |
554 |
</vuln> |
555 |
|
1 |
<vuln vid="bdfa6c04-027a-11ef-9c21-901b0e9408dc"> |
556 |
<vuln vid="bdfa6c04-027a-11ef-9c21-901b0e9408dc"> |
2 |
<topic>py-matrix-synapse -- weakness in auth chain indexing allows DoS</topic> |
557 |
<topic>py-matrix-synapse -- weakness in auth chain indexing allows DoS</topic> |
3 |
<affects> |
558 |
<affects> |