Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
glpi-project glpi 9.4.6 vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2021-44617
A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated.
Glpi-project Glpi 9.4.6
9
CVSSv2
CVE-2020-11060
In GLPI prior to 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivabl...
Glpi-project Glpi
2 Github repositories
3.5
CVSSv2
CVE-2020-11062
In GLPI after 0.68.1 and prior to 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
Glpi-project Glpi
5
CVSSv2
CVE-2020-5248
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing i...
Glpi-project Glpi
3 Github repositories
6
CVSSv2
CVE-2020-11033
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete dat...
Glpi-project Glpi
Fedoraproject Fedora 31
Fedoraproject Fedora 32
5.8
CVSSv2
CVE-2020-11034
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
Glpi-project Glpi
6.4
CVSSv2
CVE-2020-11035
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
Glpi-project Glpi
Fedoraproject Fedora 31
Fedoraproject Fedora 32
3.5
CVSSv2
CVE-2020-11036
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1)</script>" reproduces the attack. This ...
Glpi-project Glpi
6.5
CVSSv2
CVE-2020-11032
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
Glpi-project Glpi 9.4.5
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
HTML injection
CVE-2024-35894
SQL
CVE-2024-5105
CVE-2014-100005
CVE-2024-35895
unauthorized
CVE-2024-22120
CVE-2024-35890
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started