GLPI 9.5.4

by | Mar 2, 2021 | Blog, GLPI releases, News

 

 

Teclib’ is happy to announce the release of GLPI 9.5.4.

This release fixes several medium security issues that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.4 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

  • Horizontal Privilege Escalation (CVE-2021-21326 by @indevi0us)
  • Entities switch IDOR (CVE-2021-21255 by @indevi0us)
  • XSS injection in ajax/kanban (CVE-2021-21258 by @lbpierre)
  • XSS injection on ticket update (CVE-2021-21314 by @ArianeBlow)
  • Stored XSS on documents (CVE-2021-21312 by @RedShellSec)
  • XSS on tabs (CVE-2021-21313 by @RedShellSec)
  • Stored XSS in budget type (CVE-2021-21325 by @lbpierre)
  • Remote objects instantiation (CVE-2021-21327 by @vadymsoroka)
  • Insecure Direct Object Reference (IDOR) on “Solutions” (CVE-2021-21324 by @indevi0us)

Note that some are present since a long time (version 0.68), but this time none of these issues were considered as high/critical.

We also fixed a lot of bugs, here are the important ones:

  • We continue the work on stabilising the usage of laminas/mail library:
    • Handle RFC5987 format in Content-Disposition header
    • Fix email attachement decoding logic
    • Fix tickets ID fetching from email headers
  • For the dashboards:
    • Fix graph counts
    • Add search filter criteria for widget by year
    • New filter ‘my groups’
  • Misc:
    • Populate meta criteria in a generic way
    • Make custom css from entity inheritables

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project! 

Need professional support? Check our options here: https://glpi-project.org/subscriptions/

Formcreator 2.11.0

by | Jan 28, 2021 | Blog, Formcreator, News

Formcreator plugin for GLPI is a plugin which allows to create custom forms of easy access and also one or more tickets or changes when the form is filled. Today we are happy to announce the release of Formcreator plugin version 2.11.0.

Want to know more about how it works? Find the answer in our blog post.

Bug Fixes:

  • actorsfield: missed function rename
  • condition: loss of condition on submit button
  • entityconfig: bad constant value
  • form: add label to validator inputs
  • form: add spacing between questions
  • form: reimplement submit button conditions
  • issue: loss of issue on automatic action
  • question: handle long label display
  • section: improve again UI

Full list is available here: click 

 Features

  • condition: add condition to show or hide the item
  • dropdownfield: integrate splitcat

Download: link

New plugin: rename GLPI strings (localeoverride)

by | Jan 26, 2021 | Blog, Exclusive plugins, New plugins, News

New plugin is available in GLPI Network offers: rename GLPI strings (localeoverride).

Complete modern rewrite of an old Renamer plugin, this new plugin is based on the new loading system of locals in the 9.5 version of GLPI.
The plugin brings an UI to search strings, modify them and generate the files needed by GLPI.

 

 

You can now download this plugin via integrated marketplace of GLPI 9.5 or from the plugins catalog. It is also available on GLPI Network Cloud platform!

If you wish to obtain professional support and want to secure your GLPI instance, don’t hesitate to contact us using this form or purchase it online here: GLPI Network Subscriptions 

Formcreator 2.11.0 – beta 1

by | Jan 7, 2021 | Blog, Formcreator, News

This version is beta. You may contribute to improve the plugin before the final release, planned for the last week of January 2021.

How can you help?

  • Test the upgrade process of the plugin.
  • Test the new features, especially the new questions layout for forms.
  • Help to translate the locales in your language. Translations are stored on Transifex.

Download: click here

Important note:
The growing popularity of this plugin makes it used in more complex use cases. Recent issues and feedbacks shows that two important design solutions must evolve:

  • entity restrictions in some parts of the plugin;
  • consistency checks when showing forms to requesters;
  • processing their answers
  • consistency checks when designing forms.

These enhancements will impact some complex use cases by changing the available items of dropdowns / assets when a requester fills in a form. Those changes will occur only in minor versions updates.
In other words, we recommend you to check carefully forms containing questions related to dropdowns, assets, users and groups before upgrading to version 2.11.x.

This version contains the following change:

entity of dropdowns is now relative to the form, not the user. see #2023

Major features

  • Questions are now positioned on a 4 columns grid and may have variable width
  • Service catalog may split forms and KB in 2 distinct menu entries (disabled by default)
  • Default sorting of forms (alphabetic, popularity) is now customizable (see entity > forms tab)
  • Captcha for anonymous forms (disabled by default)

Deprecated

  • SyncIssues automatic action is now disabled by default. Upgrading to 2.11 will disable it as well.

GLPI 9.5.3

by | Nov 25, 2020 | Blog, GLPI releases, News

Teclib’ is happy to announce the release of GLPI 9.5.3.

This release fixes medium security issues that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.3 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

  • Any CalDAV calendars is read-only for every authenticated user (CVE-2020-26212)
  • Insecure Direct Object References in ajax files (CVE-2020-27662 && CVE-2020-27663)

Note that some are present since a long time (version 0.68), but this time none of these issues was considered as high/critical.

We also fixed a lot of bugs, here are important ones:

  • we continue the work on stabilizing the usage of laminas/mail library:
    • Attachments were not imported as documents with specific content-disposition.
    • Some HTML mails were imported as text (and html was present in the description of the ticket).
  • For the dashboards:
    • Bars and lines graphs were animated not correct inn recent versions of chromium based browsers.
    • Default pages for users without dashboard were empty.
    • Adding some missing filters: tech users and tech groups.
  • Misc:
    • A new cli command to set GLPI configuration values.
    • Response time on personnal tab of index is now improved.
    • PHP8 compatibility.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

 

SQL for dashboards.

by | Nov 4, 2020 | Blog, Exclusive plugins, GLPI Network, GLPI Network Cloud, News

This plugin allows administrators to create new data providers for the GLPI dasboards.

It currently permits to:

  • a code editor (based on monaco) bringing syntax hightlighting, automatic formatting and autocomplete for tables.
  • csv and json export
  • embed your queries results in an external application (without using GLPI dashboard).

Download the plugin: https://plugins.glpi-project.org/#/plugin/advanceddashboard