A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.2 archive on GitHub.
Exceptionally, as we have a critical security issue on an unauthenticated page, we also release a GLPI 9.5.8 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

  • Unauthenticated SQL injection on login page (CVE-2022-31061)
  • SQL injection on actor part in assistance forms (CVE-2022-31056)
  • Unauthenticated Sensitive Data Exposure on Refused Inventory Files (CVE-2022-31068)

Also, here is a short list of important bugfixes done in this version:

  • FIX adding actors to ITIL Objects (#11796, #11957)
  • FIX unwanted “promote to ticket” feature on self-service interface (#11834)
  • FIX native inventory do not inject switch information (#11864)
  • FIX entity for software creation (#11887, #11837)
  • FEAT permits global lock on entity (#11853)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.