A new GLPI version is available.

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch : GLPI 9.5.10 archive

You will find below the list of security issues fixed in this bugfixes version:

  • Blind SSRF in RSS feeds and planning (CVE-2022-39276)
  • Stored XSS in user information (CVE-2022-39372)
  • Stored XSS in entity name (CVE-2022-39373)
  • Improper input validation on emails links (CVE-2022-39376)
  • Improper access to debug panel (CVE-2022-39370)
  • User’s session persist after permanently deleting his account (CVE-2022-39234)
  • Stored XSS on login page (CVE-2022-39262)
  • XSS in external links (CVE-2022-39277)
  • XSS through public RSS feed (CVE-2022-39375)
  • SQL Injection on REST API (CVE-2022-39323)
  • Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

  • Increase significantly dashboards performance
  • Several bugs on images pasting
  • Fixed and improved inventory locks management
  • Display of printer cartridges
  • Display and hide actors tooltips in tickets
  • Improve display of headers above forms
  • Move breakpoints on responsive displays
  • Inventory API is now disabled by default
  • Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!