A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive

You will find below the list of security issues fixed in this bugfixes version:

  • Unauthorized access to inventory files (CVE-2023-22500)
  • XSS on browse views (CVE-2023-22722)
  • XSS on external links (CVE-2023-22725)
  • XSS in RSS Description Link (CVE-2023-22724)
  • Unauthorized access to data export (CVE-2023-23610)
  • Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

  • Unmanaged devices can be handled like a real asset.
  • Handle more actions for stale inventory agents.
  • Added new dictionnary rules for OS.
  • Removed glpi: prefix on console commands.
  • PHP 8.2 support.
  • Many fixes and improvements on native inventory.
  • Reservation display on self-service profile.
  • Mail collector issues with emails sent from Outlook.
  • Dashboard issues on “All” tab.
  • Ticket input is restored when submitted form is not complete.
  • Notification was not sent when ticket status was set to “pending”.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!