Vulnerabilities > Glpi Project > Glpi > 9.1.4
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-05 | CVE-2020-11033 | Information Exposure vulnerability in multiple products In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. | 7.2 |
| 2019-09-25 | CVE-2019-14666 | Information Exposure vulnerability in Glpi-Project Glpi GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. | 6.5 |
| 2019-07-10 | CVE-2019-13240 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Glpi-Project Glpi An issue was discovered in GLPI before 9.4.1. | 4.3 |
| 2019-07-04 | CVE-2019-13239 | Cross-site Scripting vulnerability in Glpi-Project Glpi inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. | 4.3 |
| 2019-03-27 | CVE-2019-10233 | Information Exposure Through Discrepancy vulnerability in Glpi-Project Glpi Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie. | 6.8 |
| 2018-03-12 | CVE-2018-7563 | Cross-site Scripting vulnerability in Glpi-Project Glpi An issue was discovered in GLPI through 9.2.1. | 4.3 |
| 2018-03-12 | CVE-2018-7562 | Race Condition vulnerability in Glpi-Project Glpi A remote code execution issue was discovered in GLPI through 9.2.1. | 6.0 |
| 2017-07-28 | CVE-2017-11184 | SQL Injection vulnerability in Glpi-Project Glpi SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | 7.5 |
| 2017-07-28 | CVE-2017-11183 | Improper Input Validation vulnerability in Glpi-Project Glpi front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter. | 5.5 |
| 2017-07-20 | CVE-2017-11475 | SQL Injection vulnerability in Glpi-Project Glpi GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php. | 6.5 |