Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Glpi
(Glpi\-Project)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 127 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-07-17 | CVE-2017-11329 | GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | Glpi | 9.8 | ||
| 2017-07-28 | CVE-2017-11184 | SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | Glpi | 9.8 | ||
| 2017-07-28 | CVE-2017-11183 | front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter. | Glpi | 4.9 | ||
| 2017-07-19 | CVE-2016-7509 | Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket. | Glpi | 5.4 | ||
| 2017-06-21 | CVE-2016-7508 | Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. | Glpi | 7.5 | ||
| 2017-07-19 | CVE-2016-7507 | Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application. | Glpi | 8.0 | ||
| 2015-10-05 | CVE-2015-7685 | GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php. | Glpi | N/A | ||
| 2015-10-05 | CVE-2015-7684 | Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/. | Glpi | N/A | ||
| 2014-12-19 | CVE-2014-9258 | SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. | Glpi | N/A | ||
| 2015-04-14 | CVE-2014-8360 | Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php. | Glpi | N/A |