Attachment #250221 for bug #278549

View | Details | Raw Unified | Return to bug 278549
Collapse All | Expand All




    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.6,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-01-02</discovery>
      <entry>2020-01-02</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.5.3,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-10-22</discovery>
      <entry>2020-10-22</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.5.3,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-10-22</discovery>
      <entry>2020-10-22</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>9.5.3,1</lt></range>
	<range><lt>9.5.3</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-10-01</discovery>
      <entry>2020-10-01</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1,1</ge><lt>9.5.2,1</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>9.5.2,1</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.5.2,1</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.5.2,1</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.5.2,1</lt></range>
	<range><lt>9.5.2</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>9.5.1,1</lt></range>
	<range><lt>9.5.1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-06-25</discovery>
      <entry>2020-06-25</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.6,1</lt></range>
	<range><lt>9.4.6</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.6,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.6,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>0.83.3,1</ge><lt>9.4.6,1</lt></range>
	<range><lt>9.4.6</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.6,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1,1</ge><lt>9.4.6,1</lt></range>
	<range><lt>9.4.6</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.6,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.5.0,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2020-03-30</discovery>
      <entry>2020-03-30</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.4,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2019-08-05</discovery>
      <entry>2019-08-05</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


    <affects>
      <package>
	<name>glpi</name>
	<range><lt>9.4.3,1</lt></range>
      </package>
    </affects>
    <description>

    <dates>
      <discovery>2019-02-25</discovery>
      <entry>2020-05-09</entry>
      <modified>2024-04-25</modified>
    </dates>
  </vuln>


Lines 8265-8271 Reported by Niccolo Belli and WIPocket (Github #400, #417). Link Here

(-)b/security/vuxml/vuln/2023.xml (-1 / +2 lines)
8265	<affects>	8265	<affects>
8266	<package>	8266	<package>
8267	<name>glpi</name>	8267	<name>glpi</name>
8268	<range><lt>10.0.7</lt></range>	8268	<range><lt>10.0.7,1</lt></range>
8269	</package>	8269	</package>
8270	</affects>	8270	</affects>
8271	<description>	8271	<description>
Lines 8305-8310 Reported by Niccolo Belli and WIPocket (Github #400, #417). Link Here
8305	<dates>	8305	<dates>
8306	<discovery>2023-03-20</discovery>	8306	<discovery>2023-03-20</discovery>
8307	<entry>2023-05-08</entry>	8307	<entry>2023-05-08</entry>
		8308	<modified>2024-04-25</modified>
8308	</dates>	8309	</dates>
8309	</vuln>	8310	</vuln>
8310		8311




  <vuln vid="10e86b16-6836-11ee-b06f-0050569ceb3a">
    <topic>Unallowed PHP script execution in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>From the GLPI 10.0.10 Changelog:</p>
	<blockquote
	cite="https://github.com/glpi-project/glpi/releases/tag/10.0.10">
	<p>You will find below security issues fixed in this bugfixes version:
	[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).</p>
	</blockquote>
	<p>The mentioned CVE is invalid</p>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-42802</cvename>
      <url>https://github.com/glpi-project/glpi/releases/tag/10.0.10</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="894f2491-6834-11ee-b06f-0050569ceb3a">
    <topic>glpi-project -- SQL injection in ITIL actors in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  The ITIL
	actors input field from the Ticket form can be used to perform a
	SQL injection.  Users are advised to upgrade to version 10.0.10.
	There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-42461</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-42461</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="54e5573a-6834-11ee-b06f-0050569ceb3a">
    <topic>Phishing through a login page malicious URL in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  The lack
	of path filtering on the GLPI URL may allow an attacker to transmit
	a malicious URL of login page that can be used to attempt a phishing
	attack on user credentials.  Users are advised to upgrade to version
	10.0.10.  There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41888</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41888</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="20302cbc-6834-11ee-b06f-0050569ceb3a">
    <topic>Users login enumeration by unauthenticated user in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  An
	unauthenticated user can enumerate users logins.  Users are advised
	to upgrade to version 10.0.10.  There are no known workarounds for
	this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41323</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41323</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="ae8b1445-6833-11ee-b06f-0050569ceb3a">
    <topic>Privilege Escalation from technician to super-admin in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1.0,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  A user
	with write access to another user can make requests to change the
	latter&apos;s password and then take control of their account.
	Users are advised to upgrade to version 10.0.10.  There are no known
	work around for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41322</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41322</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="6851f3bb-6833-11ee-b06f-0050569ceb3a">
    <topic>Sensitive fields enumeration through API in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.1.1,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  An API
	user can enumerate sensitive fields values on resources on which
	he has read access.  Users are advised to upgrade to version 10.0.10.
	There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41321</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41321</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="df71f5aa-6831-11ee-b06f-0050569ceb3a">
    <topic>File deletion through document upload process in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  The document
	upload process can be diverted to delete some files.  Users are
	advised to upgrade to version 10.0.10.  There are no known workarounds
	for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-42462</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-42462</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="95c4ec45-6831-11ee-b06f-0050569ceb3a">
    <topic>Account takeover through API in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.3.0,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  An API
	user that have read access on users resource can steal accounts of
	other users.  Users are advised to upgrade to version 10.0.10.
	There are no known workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41324</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41324</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="040e69f1-6831-11ee-b06f-0050569ceb3a">
    <topic>Account takeover via Kanban feature in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  A logged
	user from any profile can hijack the Kanban feature to alter any
	user field, and end-up with stealing its account.  Users are advised
	to upgrade to version 10.0.10.  There are no known workarounds for
	this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41326</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41326</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="6f6518ab-6830-11ee-b06f-0050569ceb3a">
    <topic>Account takeover via SQL Injection in UI layout preferences in GLPI</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-mv2r-gpw3-g476">
	  <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
	Asset and IT Management Software package, that provides ITIL Service
	Desk features, licenses tracking and software auditing.  UI layout
	preferences management can be hijacked to lead to SQL injection.
	This injection can be use to takeover an administrator account.
	Users are advised to upgrade to version 10.0.10.  There are no known
	workarounds for this vulnerability.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-41320</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41320</url>
    </references>
    <dates>
      <discovery>2023-09-27</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="257e1bf0-682f-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to SQL injection via dashboard administration</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>10.0.9,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.9">
	  <p>GLPI is a Free Asset and IT Management Software package, Data center
	management, ITIL Service Desk, licenses tracking and software
	auditing.  An administrator can trigger SQL injection via dashboards
	administration.  This vulnerability has been patched in version
	10.0.9.
	</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-37278</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-37278</url>
    </references>
    <dates>
      <discovery>2023-07-13</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="40173815-6827-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthorized access to User data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Versions
	of the software starting with 0.68 and prior to 10.0.8 have an
	incorrect rights check on a on a file accessible by an authenticated
	user.  This allows access to the list of all users and their personal
	information.  Users should upgrade to version 10.0.8 to receive a
	patch.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-34106</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34106</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="1fe40200-6823-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthorized access to KnowbaseItem data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.2.0,1</ge><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Versions
	of the software starting with 9.2.0 and prior to 10.0.8 have an
	incorrect rights check on a on a file accessible by an authenticated
	user, allows access to the view all KnowbaseItems.  Version 10.0.8
	has a patch for this issue.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-34107</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34107</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="b14a6ddc-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to reflected XSS in search pages</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.4.0,1</ge><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 9.4.0 and prior to version 10.0.8, a malicious link can
	be crafted by an unauthenticated user that can exploit a reflected
	XSS in case any authenticated user opens the crafted link.  Users
	should upgrade to version 10.0.8 to receive a patch.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-34244</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34244</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="95fde6bc-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthenticated access to Dashboard data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
	check on a file allows an unauthenticated user to be able to access
	dashboards data.  Version 10.0.8 contains a patch for this issue.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-35940</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35940</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="717efd8a-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to unauthorized access to Dashboard data</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
	check on a on a file accessible by an authenticated user (or not
	for certain actions), allows a threat actor to interact, modify,
	or see Dashboard data.  Version 10.0.8 contains a patch for this
	issue.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-35939</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35939</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="548a4163-6821-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to SQL injection through Computer Virtual Machine information</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 0.80 and prior to version 10.0.8, Computer Virtual Machine
	form and GLPI inventory request can be used to perform a SQL injection
	attack.  Version 10.0.8 has a patch for this issue.  As a workaround,
	one may disable native inventory.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-36808</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-36808</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="e44e5ace-6820-11ee-b06f-0050569ceb3a">
    <topic>GLPI vulnerable to SQL injection via inventory agent request</topic>
    <affects>
      <package>
	<name>glpi</name>
	<range><ge>10.0.0,1</ge><lt>10.0.8,1</lt></range>
      </package>
    </affects>
    <description>
	<body xmlns="http://www.w3.org/1999/xhtml">
	<p>security-advisories@github.com reports:</p>
	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
	  <p>GLPI is a free asset and IT management software package.  Starting
	in version 10.0.0 and prior to version 10.0.8, GLPI inventory
	endpoint can be used to drive a SQL injection attack.  By default,
	GLPI inventory endpoint requires no authentication.  Version 10.0.8
	has a patch for this issue.  As a workaround, one may disable native
	inventory.</p>
	</blockquote>
	</body>
    </description>
    <references>
      <cvename>CVE-2023-35924</cvename>
      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35924</url>
    </references>
    <dates>
      <discovery>2023-07-05</discovery>
      <entry>2023-10-11</entry>
    </dates>
  </vuln>

  <vuln vid="bdfa6c04-027a-11ef-9c21-901b0e9408dc">
    <topic>py-matrix-synapse -- weakness in auth chain indexing allows DoS</topic>
    <affects>

Return to bug 278549

Lines 386-392 Link Here

(-)b/security/vuxml/vuln/2020.xml (-30 / +40 lines)
386	<affects>	386	<affects>
387	<package>	387	<package>
388	<name>glpi</name>	388	<name>glpi</name>
389	<range><lt>9.4.6</lt></range>	389	<range><lt>9.4.6,1</lt></range>
390	</package>	390	</package>
391	</affects>	391	</affects>
392	<description>	392	<description>
Lines 405-410 Link Here
405	<dates>	405	<dates>
406	<discovery>2020-01-02</discovery>	406	<discovery>2020-01-02</discovery>
407	<entry>2020-01-02</entry>	407	<entry>2020-01-02</entry>
		408	<modified>2024-04-25</modified>
408	</dates>	409	</dates>
409	</vuln>	410	</vuln>
410		411
Lines 413-419 Link Here
413	<affects>	414	<affects>
414	<package>	415	<package>
415	<name>glpi</name>	416	<name>glpi</name>
416	<range><lt>9.5.3</lt></range>	417	<range><lt>9.5.3,1</lt></range>
417	</package>	418	</package>
418	</affects>	419	</affects>
419	<description>	420	<description>
Lines 431-436 Link Here
431	<dates>	432	<dates>
432	<discovery>2020-10-22</discovery>	433	<discovery>2020-10-22</discovery>
433	<entry>2020-10-22</entry>	434	<entry>2020-10-22</entry>
		435	<modified>2024-04-25</modified>
434	</dates>	436	</dates>
435	</vuln>	437	</vuln>
436		438
Lines 439-445 Link Here
439	<affects>	441	<affects>
440	<package>	442	<package>
441	<name>glpi</name>	443	<name>glpi</name>
442	<range><lt>9.5.3</lt></range>	444	<range><lt>9.5.3,1</lt></range>
443	</package>	445	</package>
444	</affects>	446	</affects>
445	<description>	447	<description>
Lines 457-462 Link Here
457	<dates>	459	<dates>
458	<discovery>2020-10-22</discovery>	460	<discovery>2020-10-22</discovery>
459	<entry>2020-10-22</entry>	461	<entry>2020-10-22</entry>
		462	<modified>2024-04-25</modified>
460	</dates>	463	</dates>
461	</vuln>	464	</vuln>
462		465
Lines 465-472 Link Here
465	<affects>	468	<affects>
466	<package>	469	<package>
467	<name>glpi</name>	470	<name>glpi</name>
468	<range><gt>9.5.0</gt></range>	471	<range><ge>9.5.0,1</ge><lt>9.5.3,1</lt></range>
469	<range><lt>9.5.3</lt></range>
470	</package>	472	</package>
471	</affects>	473	</affects>
472	<description>	474	<description>
Lines 486-491 Link Here
486	<dates>	488	<dates>
487	<discovery>2020-10-01</discovery>	489	<discovery>2020-10-01</discovery>
488	<entry>2020-10-01</entry>	490	<entry>2020-10-01</entry>
		491	<modified>2024-04-25</modified>
489	</dates>	492	</dates>
490	</vuln>	493	</vuln>
491		494
Lines 494-501 Link Here
494	<affects>	497	<affects>
495	<package>	498	<package>
496	<name>glpi</name>	499	<name>glpi</name>
497	<range><gt>9.1</gt></range>	500	<range><ge>9.1,1</ge><lt>9.5.2,1</lt></range>
498	<range><lt>9.5.2</lt></range>
499	</package>	501	</package>
500	</affects>	502	</affects>
501	<description>	503	<description>
Lines 514-519 Link Here
514	<dates>	516	<dates>
515	<discovery>2020-06-25</discovery>	517	<discovery>2020-06-25</discovery>
516	<entry>2020-06-25</entry>	518	<entry>2020-06-25</entry>
		519	<modified>2024-04-25</modified>
517	</dates>	520	</dates>
518	</vuln>	521	</vuln>
519		522
Lines 522-529 Link Here
522	<affects>	525	<affects>
523	<package>	526	<package>
524	<name>glpi</name>	527	<name>glpi</name>
525	<range><gt>9.5.0</gt></range>	528	<range><ge>9.5.0,1</ge><lt>9.5.2,1</lt></range>
526	<range><lt>9.5.2</lt></range>
527	</package>	529	</package>
528	</affects>	530	</affects>
529	<description>	531	<description>
Lines 542-547 Link Here
542	<dates>	544	<dates>
543	<discovery>2020-06-25</discovery>	545	<discovery>2020-06-25</discovery>
544	<entry>2020-06-25</entry>	546	<entry>2020-06-25</entry>
		547	<modified>2024-04-25</modified>
545	</dates>	548	</dates>
546	</vuln>	549	</vuln>
547		550
Lines 550-557 Link Here
550	<affects>	553	<affects>
551	<package>	554	<package>
552	<name>glpi</name>	555	<name>glpi</name>
553	<range><gt>0.65</gt></range>	556	<range><lt>9.5.2,1</lt></range>
554	<range><lt>9.5.2</lt></range>
555	</package>	557	</package>
556	</affects>	558	</affects>
557	<description>	559	<description>
Lines 570-575 Link Here
570	<dates>	572	<dates>
571	<discovery>2020-06-25</discovery>	573	<discovery>2020-06-25</discovery>
572	<entry>2020-06-25</entry>	574	<entry>2020-06-25</entry>
		575	<modified>2024-04-25</modified>
573	</dates>	576	</dates>
574	</vuln>	577	</vuln>
575		578
Lines 578-585 Link Here
578	<affects>	581	<affects>
579	<package>	582	<package>
580	<name>glpi</name>	583	<name>glpi</name>
581	<range><gt>0.68</gt></range>	584	<range><lt>9.5.2,1</lt></range>
582	<range><lt>9.5.2</lt></range>
583	</package>	585	</package>
584	</affects>	586	</affects>
585	<description>	587	<description>
Lines 598-603 Link Here
598	<dates>	600	<dates>
599	<discovery>2020-06-25</discovery>	601	<discovery>2020-06-25</discovery>
600	<entry>2020-06-25</entry>	602	<entry>2020-06-25</entry>
		603	<modified>2024-04-25</modified>
601	</dates>	604	</dates>
602	</vuln>	605	</vuln>
603		606
Lines 606-613 Link Here
606	<affects>	609	<affects>
607	<package>	610	<package>
608	<name>glpi</name>	611	<name>glpi</name>
609	<range><gt>0.70</gt></range>	612	<range><lt>9.5.2,1</lt></range>
610	<range><lt>9.5.2</lt></range>
611	</package>	613	</package>
612	</affects>	614	</affects>
613	<description>	615	<description>
Lines 626-631 Link Here
626	<dates>	628	<dates>
627	<discovery>2020-06-25</discovery>	629	<discovery>2020-06-25</discovery>
628	<entry>2020-06-25</entry>	630	<entry>2020-06-25</entry>
		631	<modified>2024-04-25</modified>
629	</dates>	632	</dates>
630	</vuln>	633	</vuln>
631		634
Lines 634-641 Link Here
634	<affects>	637	<affects>
635	<package>	638	<package>
636	<name>glpi</name>	639	<name>glpi</name>
637	<range><gt>9.5.0</gt></range>	640	<range><ge>9.5.0,1</ge><lt>9.5.1,1</lt></range>
638	<range><lt>9.5.1</lt></range>
639	</package>	641	</package>
640	</affects>	642	</affects>
641	<description>	643	<description>
Lines 655-660 Link Here
655	<dates>	657	<dates>
656	<discovery>2020-06-25</discovery>	658	<discovery>2020-06-25</discovery>
657	<entry>2020-06-25</entry>	659	<entry>2020-06-25</entry>
		660	<modified>2024-04-25</modified>
658	</dates>	661	</dates>
659	</vuln>	662	</vuln>
660		663
Lines 663-670 Link Here
663	<affects>	666	<affects>
664	<package>	667	<package>
665	<name>glpi</name>	668	<name>glpi</name>
666	<range><gt>0.68.1</gt></range>	669	<range><lt>9.4.6,1</lt></range>
667	<range><lt>9.4.6</lt></range>
668	</package>	670	</package>
669	</affects>	671	</affects>
670	<description>	672	<description>
Lines 683-688 Link Here
683	<dates>	685	<dates>
684	<discovery>2020-03-30</discovery>	686	<discovery>2020-03-30</discovery>
685	<entry>2020-03-30</entry>	687	<entry>2020-03-30</entry>
		688	<modified>2024-04-25</modified>
686	</dates>	689	</dates>
687	</vuln>	690	</vuln>
688		691
Lines 691-697 Link Here
691	<affects>	694	<affects>
692	<package>	695	<package>
693	<name>glpi</name>	696	<name>glpi</name>
694	<range><lt>9.4.6</lt></range>	697	<range><lt>9.4.6,1</lt></range>
695	</package>	698	</package>
696	</affects>	699	</affects>
697	<description>	700	<description>
Lines 710-715 Link Here
710	<dates>	713	<dates>
711	<discovery>2020-03-30</discovery>	714	<discovery>2020-03-30</discovery>
712	<entry>2020-03-30</entry>	715	<entry>2020-03-30</entry>
		716	<modified>2024-04-25</modified>
713	</dates>	717	</dates>
714	</vuln>	718	</vuln>
715		719
Lines 718-724 Link Here
718	<affects>	722	<affects>
719	<package>	723	<package>
720	<name>glpi</name>	724	<name>glpi</name>
721	<range><lt>9.4.6</lt></range>	725	<range><lt>9.4.6,1</lt></range>
722	</package>	726	</package>
723	</affects>	727	</affects>
724	<description>	728	<description>
Lines 738-743 Link Here
738	<dates>	742	<dates>
739	<discovery>2020-03-30</discovery>	743	<discovery>2020-03-30</discovery>
740	<entry>2020-03-30</entry>	744	<entry>2020-03-30</entry>
		745	<modified>2024-04-25</modified>
741	</dates>	746	</dates>
742	</vuln>	747	</vuln>
743		748
Lines 746-753 Link Here
746	<affects>	751	<affects>
747	<package>	752	<package>
748	<name>glpi</name>	753	<name>glpi</name>
749	<range><gt>0.83.3</gt></range>	754	<range><ge>0.83.3,1</ge><lt>9.4.6,1</lt></range>
750	<range><lt>9.4.6</lt></range>
751	</package>	755	</package>
752	</affects>	756	</affects>
753	<description>	757	<description>
Lines 767-772 Link Here
767	<dates>	771	<dates>
768	<discovery>2020-03-30</discovery>	772	<discovery>2020-03-30</discovery>
769	<entry>2020-03-30</entry>	773	<entry>2020-03-30</entry>
		774	<modified>2024-04-25</modified>
770	</dates>	775	</dates>
771	</vuln>	776	</vuln>
772		777
Lines 775-781 Link Here
775	<affects>	780	<affects>
776	<package>	781	<package>
777	<name>glpi</name>	782	<name>glpi</name>
778	<range><lt>9.4.6</lt></range>	783	<range><lt>9.4.6,1</lt></range>
779	</package>	784	</package>
780	</affects>	785	</affects>
781	<description>	786	<description>
Lines 795-800 Link Here
795	<dates>	800	<dates>
796	<discovery>2020-03-30</discovery>	801	<discovery>2020-03-30</discovery>
797	<entry>2020-03-30</entry>	802	<entry>2020-03-30</entry>
		803	<modified>2024-04-25</modified>
798	</dates>	804	</dates>
799	</vuln>	805	</vuln>
800		806
Lines 803-810 Link Here
803	<affects>	809	<affects>
804	<package>	810	<package>
805	<name>glpi</name>	811	<name>glpi</name>
806	<range><gt>9.1</gt></range>	812	<range><ge>9.1,1</ge><lt>9.4.6,1</lt></range>
807	<range><lt>9.4.6</lt></range>
808	</package>	813	</package>
809	</affects>	814	</affects>
810	<description>	815	<description>
Lines 824-829 Link Here
824	<dates>	829	<dates>
825	<discovery>2020-03-30</discovery>	830	<discovery>2020-03-30</discovery>
826	<entry>2020-03-30</entry>	831	<entry>2020-03-30</entry>
		832	<modified>2024-04-25</modified>
827	</dates>	833	</dates>
828	</vuln>	834	</vuln>
829		835
Lines 832-838 Link Here
832	<affects>	838	<affects>
833	<package>	839	<package>
834	<name>glpi</name>	840	<name>glpi</name>
835	<range><lt>9.4.6</lt></range>	841	<range><lt>9.4.6,1</lt></range>
836	</package>	842	</package>
837	</affects>	843	</affects>
838	<description>	844	<description>
Lines 850-855 Link Here
850	<dates>	856	<dates>
851	<discovery>2020-03-30</discovery>	857	<discovery>2020-03-30</discovery>
852	<entry>2020-03-30</entry>	858	<entry>2020-03-30</entry>
		859	<modified>2024-04-25</modified>
853	</dates>	860	</dates>
854	</vuln>	861	</vuln>
855		862
Lines 858-864 Link Here
858	<affects>	865	<affects>
859	<package>	866	<package>
860	<name>glpi</name>	867	<name>glpi</name>
861	<range><lt>9.5.0</lt></range>	868	<range><lt>9.5.0,1</lt></range>
862	</package>	869	</package>
863	</affects>	870	</affects>
864	<description>	871	<description>
Lines 878-883 Link Here
878	<dates>	885	<dates>
879	<discovery>2020-03-30</discovery>	886	<discovery>2020-03-30</discovery>
880	<entry>2020-03-30</entry>	887	<entry>2020-03-30</entry>
		888	<modified>2024-04-25</modified>
881	</dates>	889	</dates>
882	</vuln>	890	</vuln>
883		891
Lines 886-892 Link Here
886	<affects>	894	<affects>
887	<package>	895	<package>
888	<name>glpi</name>	896	<name>glpi</name>
889	<range><lt>9.4.4</lt></range>	897	<range><lt>9.4.4,1</lt></range>
890	</package>	898	</package>
891	</affects>	899	</affects>
892	<description>	900	<description>
Lines 906-911 Link Here
906	<dates>	914	<dates>
907	<discovery>2019-08-05</discovery>	915	<discovery>2019-08-05</discovery>
908	<entry>2019-08-05</entry>	916	<entry>2019-08-05</entry>
		917	<modified>2024-04-25</modified>
909	</dates>	918	</dates>
910	</vuln>	919	</vuln>
911		920
Lines 9011-9017 Workaround: Link Here
9011	<affects>	9020	<affects>
9012	<package>	9021	<package>
9013	<name>glpi</name>	9022	<name>glpi</name>
9014	<range><lt>9.4.3</lt></range>	9023	<range><lt>9.4.3,1</lt></range>
9015	</package>	9024	</package>
9016	</affects>	9025	</affects>
9017	<description>	9026	<description>
Lines 9031-9036 Workaround: Link Here
9031	<dates>	9040	<dates>
9032	<discovery>2019-02-25</discovery>	9041	<discovery>2019-02-25</discovery>
9033	<entry>2020-05-09</entry>	9042	<entry>2020-05-09</entry>
		9043	<modified>2024-04-25</modified>
9034	</dates>	9044	</dates>
9035	</vuln>	9045	</vuln>
9036		9046

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2024.xml (+555 lines)
		1	<vuln vid="10e86b16-6836-11ee-b06f-0050569ceb3a">
		2	<topic>Unallowed PHP script execution in GLPI</topic>
		3	<affects>
		4	<package>
		5	<name>glpi</name>
		6	<range><lt>10.0.10,1</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>From the GLPI 10.0.10 Changelog:</p>
		12	<blockquote
		13	cite="https://github.com/glpi-project/glpi/releases/tag/10.0.10">
		14	<p>You will find below security issues fixed in this bugfixes version:
		15	[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).</p>
		16	</blockquote>
		17	<p>The mentioned CVE is invalid</p>
		18	</body>
		19	</description>
		20	<references>
		21	<cvename>CVE-2023-42802</cvename>
		22	<url>https://github.com/glpi-project/glpi/releases/tag/10.0.10</url>
		23	</references>
		24	<dates>
		25	<discovery>2023-09-27</discovery>
		26	<entry>2023-10-11</entry>
		27	</dates>
		28	</vuln>
		29
		30	<vuln vid="894f2491-6834-11ee-b06f-0050569ceb3a">
		31	<topic>glpi-project -- SQL injection in ITIL actors in GLPI</topic>
		32	<affects>
		33	<package>
		34	<name>glpi</name>
		35	<range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range>
		36	</package>
		37	</affects>
		38	<description>
		39	<body xmlns="http://www.w3.org/1999/xhtml">
		40	<p>security-advisories@github.com reports:</p>
		41	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w">
		42	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
		43	Asset and IT Management Software package, that provides ITIL Service
		44	Desk features, licenses tracking and software auditing. The ITIL
		45	actors input field from the Ticket form can be used to perform a
		46	SQL injection. Users are advised to upgrade to version 10.0.10.
		47	There are no known workarounds for this vulnerability.</p>
		48	</blockquote>
		49	</body>
		50	</description>
		51	<references>
		52	<cvename>CVE-2023-42461</cvename>
		53	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-42461</url>
		54	</references>
		55	<dates>
		56	<discovery>2023-09-27</discovery>
		57	<entry>2023-10-11</entry>
		58	</dates>
		59	</vuln>
		60
		61	<vuln vid="54e5573a-6834-11ee-b06f-0050569ceb3a">
		62	<topic>Phishing through a login page malicious URL in GLPI</topic>
		63	<affects>
		64	<package>
65	<name>glpi</name>
66	<range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range>
67	</package>
68	</affects>
69	<description>
70	<body xmlns="http://www.w3.org/1999/xhtml">
71	<p>security-advisories@github.com reports:</p>
72	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp">
73	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
74	Asset and IT Management Software package, that provides ITIL Service
75	Desk features, licenses tracking and software auditing. The lack
76	of path filtering on the GLPI URL may allow an attacker to transmit
77	a malicious URL of login page that can be used to attempt a phishing
78	attack on user credentials. Users are advised to upgrade to version
79	10.0.10. There are no known workarounds for this vulnerability.</p>
80	</blockquote>
81	</body>
82	</description>
83	<references>
84	<cvename>CVE-2023-41888</cvename>
85	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41888</url>
86	</references>
87	<dates>
88	<discovery>2023-09-27</discovery>
89	<entry>2023-10-11</entry>
90	</dates>
91	</vuln>
92
93	<vuln vid="20302cbc-6834-11ee-b06f-0050569ceb3a">
94	<topic>Users login enumeration by unauthenticated user in GLPI</topic>
95	<affects>
96	<package>
97	<name>glpi</name>
98	<range><lt>10.0.10,1</lt></range>
99	</package>
100	</affects>
101	<description>
102	<body xmlns="http://www.w3.org/1999/xhtml">
103	<p>security-advisories@github.com reports:</p>
104	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9">
105	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
106	Asset and IT Management Software package, that provides ITIL Service
107	Desk features, licenses tracking and software auditing. An
108	unauthenticated user can enumerate users logins. Users are advised
109	to upgrade to version 10.0.10. There are no known workarounds for
110	this vulnerability.</p>
111	</blockquote>
112	</body>
113	</description>
114	<references>
115	<cvename>CVE-2023-41323</cvename>
116	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41323</url>
117	</references>
118	<dates>
119	<discovery>2023-09-27</discovery>
120	<entry>2023-10-11</entry>
121	</dates>
122	</vuln>
123
124	<vuln vid="ae8b1445-6833-11ee-b06f-0050569ceb3a">
125	<topic>Privilege Escalation from technician to super-admin in GLPI</topic>
126	<affects>
127	<package>
128	<name>glpi</name>
129	<range><ge>9.1.0,1</ge><lt>10.0.10,1</lt></range>
130	</package>
131	</affects>
132	<description>
133	<body xmlns="http://www.w3.org/1999/xhtml">
134	<p>security-advisories@github.com reports:</p>
135	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr">
136	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
137	Asset and IT Management Software package, that provides ITIL Service
138	Desk features, licenses tracking and software auditing. A user
139	with write access to another user can make requests to change the
140	latter's password and then take control of their account.
141	Users are advised to upgrade to version 10.0.10. There are no known
142	work around for this vulnerability.</p>
143	</blockquote>
144	</body>
145	</description>
146	<references>
147	<cvename>CVE-2023-41322</cvename>
148	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41322</url>
149	</references>
150	<dates>
151	<discovery>2023-09-27</discovery>
152	<entry>2023-10-11</entry>
153	</dates>
154	</vuln>
155
156	<vuln vid="6851f3bb-6833-11ee-b06f-0050569ceb3a">
157	<topic>Sensitive fields enumeration through API in GLPI</topic>
158	<affects>
159	<package>
160	<name>glpi</name>
161	<range><ge>9.1.1,1</ge><lt>10.0.10,1</lt></range>
162	</package>
163	</affects>
164	<description>
165	<body xmlns="http://www.w3.org/1999/xhtml">
166	<p>security-advisories@github.com reports:</p>
167	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836">
168	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
169	Asset and IT Management Software package, that provides ITIL Service
170	Desk features, licenses tracking and software auditing. An API
171	user can enumerate sensitive fields values on resources on which
172	he has read access. Users are advised to upgrade to version 10.0.10.
173	There are no known workarounds for this vulnerability.</p>
174	</blockquote>
175	</body>
176	</description>
177	<references>
178	<cvename>CVE-2023-41321</cvename>
179	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41321</url>
180	</references>
181	<dates>
182	<discovery>2023-09-27</discovery>
183	<entry>2023-10-11</entry>
184	</dates>
185	</vuln>
186
187	<vuln vid="df71f5aa-6831-11ee-b06f-0050569ceb3a">
188	<topic>File deletion through document upload process in GLPI</topic>
189	<affects>
190	<package>
191	<name>glpi</name>
192	<range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range>
193	</package>
194	</affects>
195	<description>
196	<body xmlns="http://www.w3.org/1999/xhtml">
197	<p>security-advisories@github.com reports:</p>
198	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75">
199	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
200	Asset and IT Management Software package, that provides ITIL Service
201	Desk features, licenses tracking and software auditing. The document
202	upload process can be diverted to delete some files. Users are
203	advised to upgrade to version 10.0.10. There are no known workarounds
204	for this vulnerability.</p>
205	</blockquote>
206	</body>
207	</description>
208	<references>
209	<cvename>CVE-2023-42462</cvename>
210	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-42462</url>
211	</references>
212	<dates>
213	<discovery>2023-09-27</discovery>
214	<entry>2023-10-11</entry>
215	</dates>
216	</vuln>
217
218	<vuln vid="95c4ec45-6831-11ee-b06f-0050569ceb3a">
219	<topic>Account takeover through API in GLPI</topic>
220	<affects>
221	<package>
222	<name>glpi</name>
223	<range><ge>9.3.0,1</ge><lt>10.0.10,1</lt></range>
224	</package>
225	</affects>
226	<description>
227	<body xmlns="http://www.w3.org/1999/xhtml">
228	<p>security-advisories@github.com reports:</p>
229	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3">
230	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
231	Asset and IT Management Software package, that provides ITIL Service
232	Desk features, licenses tracking and software auditing. An API
233	user that have read access on users resource can steal accounts of
234	other users. Users are advised to upgrade to version 10.0.10.
235	There are no known workarounds for this vulnerability.</p>
236	</blockquote>
237	</body>
238	</description>
239	<references>
240	<cvename>CVE-2023-41324</cvename>
241	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41324</url>
242	</references>
243	<dates>
244	<discovery>2023-09-27</discovery>
245	<entry>2023-10-11</entry>
246	</dates>
247	</vuln>
248
249	<vuln vid="040e69f1-6831-11ee-b06f-0050569ceb3a">
250	<topic>Account takeover via Kanban feature in GLPI</topic>
251	<affects>
252	<package>
253	<name>glpi</name>
254	<range><ge>9.5.0,1</ge><lt>10.0.10,1</lt></range>
255	</package>
256	</affects>
257	<description>
258	<body xmlns="http://www.w3.org/1999/xhtml">
259	<p>security-advisories@github.com reports:</p>
260	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9">
261	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
262	Asset and IT Management Software package, that provides ITIL Service
263	Desk features, licenses tracking and software auditing. A logged
264	user from any profile can hijack the Kanban feature to alter any
265	user field, and end-up with stealing its account. Users are advised
266	to upgrade to version 10.0.10. There are no known workarounds for
267	this vulnerability.</p>
268	</blockquote>
269	</body>
270	</description>
271	<references>
272	<cvename>CVE-2023-41326</cvename>
273	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41326</url>
274	</references>
275	<dates>
276	<discovery>2023-09-27</discovery>
277	<entry>2023-10-11</entry>
278	</dates>
279	</vuln>
280
281	<vuln vid="6f6518ab-6830-11ee-b06f-0050569ceb3a">
282	<topic>Account takeover via SQL Injection in UI layout preferences in GLPI</topic>
283	<affects>
284	<package>
285	<name>glpi</name>
286	<range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range>
287	</package>
288	</affects>
289	<description>
290	<body xmlns="http://www.w3.org/1999/xhtml">
291	<p>security-advisories@github.com reports:</p>
292	<blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-mv2r-gpw3-g476">
293	<p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free
294	Asset and IT Management Software package, that provides ITIL Service
295	Desk features, licenses tracking and software auditing. UI layout
296	preferences management can be hijacked to lead to SQL injection.
297	This injection can be use to takeover an administrator account.
298	Users are advised to upgrade to version 10.0.10. There are no known
299	workarounds for this vulnerability.</p>
300	</blockquote>
301	</body>
302	</description>
303	<references>
304	<cvename>CVE-2023-41320</cvename>
305	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-41320</url>
306	</references>
307	<dates>
308	<discovery>2023-09-27</discovery>
309	<entry>2023-10-11</entry>
310	</dates>
311	</vuln>
312
313	<vuln vid="257e1bf0-682f-11ee-b06f-0050569ceb3a">
314	<topic>GLPI vulnerable to SQL injection via dashboard administration</topic>
315	<affects>
316	<package>
317	<name>glpi</name>
318	<range><ge>9.5.0,1</ge><lt>10.0.9,1</lt></range>
319	</package>
320	</affects>
321	<description>
322	<body xmlns="http://www.w3.org/1999/xhtml">
323	<p>security-advisories@github.com reports:</p>
324	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.9">
325	<p>GLPI is a Free Asset and IT Management Software package, Data center
326	management, ITIL Service Desk, licenses tracking and software
327	auditing. An administrator can trigger SQL injection via dashboards
328	administration. This vulnerability has been patched in version
329	10.0.9.
330	</p>
331	</blockquote>
332	</body>
333	</description>
334	<references>
335	<cvename>CVE-2023-37278</cvename>
336	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-37278</url>
337	</references>
338	<dates>
339	<discovery>2023-07-13</discovery>
340	<entry>2023-10-11</entry>
341	</dates>
342	</vuln>
343
344	<vuln vid="40173815-6827-11ee-b06f-0050569ceb3a">
345	<topic>GLPI vulnerable to unauthorized access to User data</topic>
346	<affects>
347	<package>
348	<name>glpi</name>
349	<range><lt>10.0.8,1</lt></range>
350	</package>
351	</affects>
352	<description>
353	<body xmlns="http://www.w3.org/1999/xhtml">
354	<p>security-advisories@github.com reports:</p>
355	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
356	<p>GLPI is a free asset and IT management software package. Versions
357	of the software starting with 0.68 and prior to 10.0.8 have an
358	incorrect rights check on a on a file accessible by an authenticated
359	user. This allows access to the list of all users and their personal
360	information. Users should upgrade to version 10.0.8 to receive a
361	patch.</p>
362	</blockquote>
363	</body>
364	</description>
365	<references>
366	<cvename>CVE-2023-34106</cvename>
367	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34106</url>
368	</references>
369	<dates>
370	<discovery>2023-07-05</discovery>
371	<entry>2023-10-11</entry>
372	</dates>
373	</vuln>
374
375	<vuln vid="1fe40200-6823-11ee-b06f-0050569ceb3a">
376	<topic>GLPI vulnerable to unauthorized access to KnowbaseItem data</topic>
377	<affects>
378	<package>
379	<name>glpi</name>
380	<range><ge>9.2.0,1</ge><lt>10.0.8,1</lt></range>
381	</package>
382	</affects>
383	<description>
384	<body xmlns="http://www.w3.org/1999/xhtml">
385	<p>security-advisories@github.com reports:</p>
386	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
387	<p>GLPI is a free asset and IT management software package. Versions
388	of the software starting with 9.2.0 and prior to 10.0.8 have an
389	incorrect rights check on a on a file accessible by an authenticated
390	user, allows access to the view all KnowbaseItems. Version 10.0.8
391	has a patch for this issue.</p>
392	</blockquote>
393	</body>
394	</description>
395	<references>
396	<cvename>CVE-2023-34107</cvename>
397	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34107</url>
398	</references>
399	<dates>
400	<discovery>2023-07-05</discovery>
401	<entry>2023-10-11</entry>
402	</dates>
403	</vuln>
404
405	<vuln vid="b14a6ddc-6821-11ee-b06f-0050569ceb3a">
406	<topic>GLPI vulnerable to reflected XSS in search pages</topic>
407	<affects>
408	<package>
409	<name>glpi</name>
410	<range><ge>9.4.0,1</ge><lt>10.0.8,1</lt></range>
411	</package>
412	</affects>
413	<description>
414	<body xmlns="http://www.w3.org/1999/xhtml">
415	<p>security-advisories@github.com reports:</p>
416	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
417	<p>GLPI is a free asset and IT management software package. Starting
418	in version 9.4.0 and prior to version 10.0.8, a malicious link can
419	be crafted by an unauthenticated user that can exploit a reflected
420	XSS in case any authenticated user opens the crafted link. Users
421	should upgrade to version 10.0.8 to receive a patch.</p>
422	</blockquote>
423	</body>
424	</description>
425	<references>
426	<cvename>CVE-2023-34244</cvename>
427	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-34244</url>
428	</references>
429	<dates>
430	<discovery>2023-07-05</discovery>
431	<entry>2023-10-11</entry>
432	</dates>
433	</vuln>
434
435	<vuln vid="95fde6bc-6821-11ee-b06f-0050569ceb3a">
436	<topic>GLPI vulnerable to unauthenticated access to Dashboard data</topic>
437	<affects>
438	<package>
439	<name>glpi</name>
440	<range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range>
441	</package>
442	</affects>
443	<description>
444	<body xmlns="http://www.w3.org/1999/xhtml">
445	<p>security-advisories@github.com reports:</p>
446	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
447	<p>GLPI is a free asset and IT management software package. Starting
448	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
449	check on a file allows an unauthenticated user to be able to access
450	dashboards data. Version 10.0.8 contains a patch for this issue.</p>
451	</blockquote>
452	</body>
453	</description>
454	<references>
455	<cvename>CVE-2023-35940</cvename>
456	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35940</url>
457	</references>
458	<dates>
459	<discovery>2023-07-05</discovery>
460	<entry>2023-10-11</entry>
461	</dates>
462	</vuln>
463
464	<vuln vid="717efd8a-6821-11ee-b06f-0050569ceb3a">
465	<topic>GLPI vulnerable to unauthorized access to Dashboard data</topic>
466	<affects>
467	<package>
468	<name>glpi</name>
469	<range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range>
470	</package>
471	</affects>
472	<description>
473	<body xmlns="http://www.w3.org/1999/xhtml">
474	<p>security-advisories@github.com reports:</p>
475	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
476	<p>GLPI is a free asset and IT management software package. Starting
477	in version 9.5.0 and prior to version 10.0.8, an incorrect rights
478	check on a on a file accessible by an authenticated user (or not
479	for certain actions), allows a threat actor to interact, modify,
480	or see Dashboard data. Version 10.0.8 contains a patch for this
481	issue.</p>
482	</blockquote>
483	</body>
484	</description>
485	<references>
486	<cvename>CVE-2023-35939</cvename>
487	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35939</url>
488	</references>
489	<dates>
490	<discovery>2023-07-05</discovery>
491	<entry>2023-10-11</entry>
492	</dates>
493	</vuln>
494
495	<vuln vid="548a4163-6821-11ee-b06f-0050569ceb3a">
496	<topic>GLPI vulnerable to SQL injection through Computer Virtual Machine information</topic>
497	<affects>
498	<package>
499	<name>glpi</name>
500	<range><lt>10.0.8,1</lt></range>
501	</package>
502	</affects>
503	<description>
504	<body xmlns="http://www.w3.org/1999/xhtml">
505	<p>security-advisories@github.com reports:</p>
506	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
507	<p>GLPI is a free asset and IT management software package. Starting
508	in version 0.80 and prior to version 10.0.8, Computer Virtual Machine
509	form and GLPI inventory request can be used to perform a SQL injection
510	attack. Version 10.0.8 has a patch for this issue. As a workaround,
511	one may disable native inventory.</p>
512	</blockquote>
513	</body>
514	</description>
515	<references>
516	<cvename>CVE-2023-36808</cvename>
517	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-36808</url>
518	</references>
519	<dates>
520	<discovery>2023-07-05</discovery>
521	<entry>2023-10-11</entry>
522	</dates>
523	</vuln>
524
525	<vuln vid="e44e5ace-6820-11ee-b06f-0050569ceb3a">
526	<topic>GLPI vulnerable to SQL injection via inventory agent request</topic>
527	<affects>
528	<package>
529	<name>glpi</name>
530	<range><ge>10.0.0,1</ge><lt>10.0.8,1</lt></range>
531	</package>
532	</affects>
533	<description>
534	<body xmlns="http://www.w3.org/1999/xhtml">
535	<p>security-advisories@github.com reports:</p>
536	<blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8">
537	<p>GLPI is a free asset and IT management software package. Starting
538	in version 10.0.0 and prior to version 10.0.8, GLPI inventory
539	endpoint can be used to drive a SQL injection attack. By default,
540	GLPI inventory endpoint requires no authentication. Version 10.0.8
541	has a patch for this issue. As a workaround, one may disable native
542	inventory.</p>
543	</blockquote>
544	</body>
545	</description>
546	<references>
547	<cvename>CVE-2023-35924</cvename>
548	<url>https://nvd.nist.gov/vuln/detail/CVE-2023-35924</url>
549	</references>
550	<dates>
551	<discovery>2023-07-05</discovery>
552	<entry>2023-10-11</entry>
553	</dates>
554	</vuln>
555
1	<vuln vid="bdfa6c04-027a-11ef-9c21-901b0e9408dc">	556	<vuln vid="bdfa6c04-027a-11ef-9c21-901b0e9408dc">
2	<topic>py-matrix-synapse -- weakness in auth chain indexing allows DoS</topic>	557	<topic>py-matrix-synapse -- weakness in auth chain indexing allows DoS</topic>
3	<affects>	558	<affects>