Vulnerabilities > Glpi Project

DATE CVE VULNERABILITY TITLE RISK
2020-11-26 CVE-2020-27663 Insecure Storage of Sensitive Information vulnerability in Glpi-Project Glpi
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
network
low complexity
glpi-project CWE-922
4.0
2020-11-26 CVE-2020-27662 Insecure Storage of Sensitive Information vulnerability in Glpi-Project Glpi
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
network
low complexity
glpi-project CWE-922
4.0
2020-11-25 CVE-2020-26212 Missing Authorization vulnerability in Glpi-Project Glpi
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing.
network
low complexity
glpi-project CWE-862
4.0
2020-10-07 CVE-2020-15226 SQL Injection vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function.
network
low complexity
glpi-project CWE-89
5.0
2020-10-07 CVE-2020-15217 Cross-Site Scripting vulnerability in Glpi-Project Glpi 9.5.0/9.5.1
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ.
network
low complexity
glpi-project CWE-79
5.0
2020-10-07 CVE-2020-15177 Cross-Site Scripting vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`.
4.3
2020-10-07 CVE-2020-15176 SQL Injection vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur.
network
low complexity
glpi-project CWE-89
5.0
2020-10-07 CVE-2020-15175 Files OR Directories Accessible TO External Parties vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, the `?pluginimage.send.php?` endpoint allows a user to specify an image from a plugin.
network
low complexity
glpi-project CWE-552
6.4
2020-09-23 CVE-2020-11031 USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.0, the encryption algorithm used is insecure.
network
low complexity
glpi-project CWE-327
5.0
2020-07-17 CVE-2020-15108 SQL Injection vulnerability in Glpi-Project Glpi
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature.
network
low complexity
glpi-project CWE-89
4.0