Vulnerabilities > Glpi Project

DATE CVE VULNERABILITY TITLE RISK
2020-10-07 CVE-2020-15217 Cross-site Scripting vulnerability in Glpi-Project Glpi 9.5.0/9.5.1
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ.
network
low complexity
glpi-project CWE-79
5.0
2020-10-07 CVE-2020-15177 Cross-site Scripting vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`.
4.3
2020-10-07 CVE-2020-15176 SQL Injection vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur.
network
low complexity
glpi-project CWE-89
5.0
2020-10-07 CVE-2020-15175 Files or Directories Accessible to External Parties vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.2, the `?pluginimage.send.php?` endpoint allows a user to specify an image from a plugin.
network
low complexity
glpi-project CWE-552
critical
9.1
2020-09-23 CVE-2020-11031 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Glpi-Project Glpi
In GLPI before version 9.5.0, the encryption algorithm used is insecure.
network
low complexity
glpi-project CWE-327
5.0
2020-07-17 CVE-2020-15108 SQL Injection vulnerability in Glpi-Project Glpi
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature.
network
low complexity
glpi-project CWE-89
4.0
2020-05-12 CVE-2020-11062 Cross-site Scripting vulnerability in Glpi-Project Glpi
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type.
3.5
2020-05-12 CVE-2020-11060 Cross-Site Request Forgery (CSRF) vulnerability in Glpi-Project Glpi
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality.
network
low complexity
glpi-project CWE-352
critical
9.0
2020-05-12 CVE-2020-5248 Use of Hard-coded Credentials vulnerability in Glpi-Project Glpi
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key.
network
low complexity
glpi-project CWE-798
5.0
2020-05-05 CVE-2020-11036 Cross-site Scripting vulnerability in Glpi-Project Glpi
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities.
network
low complexity
glpi-project CWE-79
5.4