A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.3 archive on GitHub.
Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

  • XSS through registration API (CVE-2022-35945)
  • Leak of sensitive information through login page error (CVE-2022-31143)
  • Stored XSS through global search (CVE-2022-31187)
  • Command injection using a third-party library script (CVE-2022-35914)
  • SQL injection through plugin controller (CVE-2022-35946)
  • Authentication via SQL injection (CVE-2022-35947)
  • Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Also, here is a short list of main changes done in this version:

  • More precise rights checks on inventory (#12610)
  • Display of last inventoried value for locked fields (#12602)
  • Permit to use rules to add computers as virtual machines (#12572)
  • Delegate session cookies security to sysadmin (#12302)
  • Prevent collector failure on invalid mail header (#12232)
  • Many fixes on network inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!