Vulnerabilities > Glpi Project > Glpi > 9.2.3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-05 | CVE-2020-11035 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. | 9.3 |
| 2020-05-05 | CVE-2020-11034 | Open Redirect vulnerability in Glpi-Project Glpi In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. | 6.1 |
| 2020-05-05 | CVE-2020-11033 | Information Exposure vulnerability in multiple products In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. | 7.2 |
| 2019-09-25 | CVE-2019-14666 | Information Exposure vulnerability in Glpi-Project Glpi GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. | 6.5 |
| 2019-07-10 | CVE-2019-13240 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Glpi-Project Glpi An issue was discovered in GLPI before 9.4.1. | 4.3 |
| 2019-07-04 | CVE-2019-13239 | Cross-site Scripting vulnerability in Glpi-Project Glpi inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture. | 4.3 |
| 2019-03-27 | CVE-2019-10233 | Information Exposure Through Discrepancy vulnerability in Glpi-Project Glpi Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie. | 6.8 |
| 2018-07-02 | CVE-2018-13049 | SQL Injection vulnerability in Glpi-Project Glpi The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php. | 6.5 |