New version GLPI 10.0.7: A new GLPI version is available.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.13 archive

You will find below the list of security issues fixed in this bugfixes version:

  • SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
  • Account takeover by authenticated user (CVE-2023-28632).
  • SQL injection through dynamic reports (CVE-2023-28838).
  • Stored XSS through dashboard administration (CVE-2023-28852).
  • Stored XSS on external links (CVE-2023-28636).
  • Reflected XSS in search pages (CVE-2023-28639).
  • Privilege Escalation from technician to super-admin (CVE-2023-28634).
  • Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

  • Optional GLPI router to be able to use a safer web server root directory.
  • Support of SMTP OAuth authentication.
  • Improved inventory file upload feature.
  • Many fixes and improvements on native inventory.
  • Some bugs on PHP 8.2.
  • Caching issues on entities.
  • Boolean FullText operator not working on knowledge base search.
  • Unexpected search results when using negative condition on ticket actors.
  • Issues with LDAP filters/DN.
  • Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Download GLPI now: