Teclib’ is happy to announce the release of GLPI 9.5.4.

This release fixes several medium security issues that has been recently discovered. Update is recommended!

You can download the GLPI 9.5.4 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

  • Horizontal Privilege Escalation (CVE-2021-21326 by @indevi0us)
  • Entities switch IDOR (CVE-2021-21255 by @indevi0us)
  • XSS injection in ajax/kanban (CVE-2021-21258 by @lbpierre)
  • XSS injection on ticket update (CVE-2021-21314 by @ArianeBlow)
  • Stored XSS on documents (CVE-2021-21312 by @RedShellSec)
  • XSS on tabs (CVE-2021-21313 by @RedShellSec)
  • Stored XSS in budget type (CVE-2021-21325 by @lbpierre)
  • Remote objects instantiation (CVE-2021-21327 by @vadymsoroka)
  • Insecure Direct Object Reference (IDOR) on “Solutions” (CVE-2021-21324 by @indevi0us)

Note that some are present since a long time (version 0.68), but this time none of these issues were considered as high/critical.

We also fixed a lot of bugs, here are the important ones:

  • We continue the work on stabilising the usage of laminas/mail library:
    • Handle RFC5987 format in Content-Disposition header
    • Fix email attachement decoding logic
    • Fix tickets ID fetching from email headers
  • For the dashboards:
    • Fix graph counts
    • Add search filter criteria for widget by year
    • New filter ‘my groups’
  • Misc:
    • Populate meta criteria in a generic way
    • Make custom css from entity inheritables

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project! 

Need professional support? Check our options here: https://glpi-project.org/subscriptions/