After several weeks, Teclib’ is happy to announce the release of GLPI 9.5.2.

This release fixes several security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 9.5.2 archive on GitHub.

Here is the list of security flaws detected and fixed in this version:

  • SQL injection with a query parameter of user form (CVE-2020-15176)
  • Removal of .htaccess file in the files folder via a plugin endpoint (CVE-2020-15175)
  • Leakage issue with knowledge base (CVE-2020-15217)
  • Stored XSS in install script (CVE-2020-15177)
  • Minor SQL Injection in Search API (CVE-2020-15226)

Note, some are present since a long time (0.68).

We also fixed a lot of issues, here are important ones:

  • mailgates issues:
    • encoding errors
    • missing images in some tickets
    • exceptions for some particular messages
  • a small notice (listTables) was visible while updating to 9.5.1.
  • in some rare cases, the encryption process of passwords could fail
  • For the dashboards:
    • fix user preferences
    • fix overlap of mini dashboard above tickets list

And we worked on improving the dashboards:

  • new summary widget
  • new articles widget
  • display labels on point and bar (with a new available option)
  • cards have now a minimum size
  • we added personnal filters. Toggle edit mode, and add filters on top of dashboards.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!