by Flavia Calonego | Nov 6, 2024 | News
A new GLPI version is available!
This release fixes a few security issues that have been recently discovered. The update is recommended!
You can download the GLPI 10.0.17 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- Unauthenticated session hijacking (CVE-2024-50339)
- Account takeover through SQL injection (CVE-2024-40638)
- Users email enumeration by unauthenticated user (CVE-2024-43416)
- Account takeover without privilege escalation through the API (CVE-2024-47758)
- Account takeover via the password reset feature (CVE-2024-47761)
- Account takeover via API (CVE-2024-47760)
- Insecure account deletion by authenticated user (CVE-2024-48912)
- Authenticated SQL Injection (CVE-2024-45608)
- Authenticated SQL injection in ticket form (CVE-2024-41679)
- Stored XSS in RSS feeds (CVE-2024-45611)
- Stored XSS via document upload (CVE-2024-47759)
- Multiple reflected XSS (CVE-2024-43417, CVE-2024-43418, CVE-2024-45609, CVE-2024-45610, CVE-2024-41678)
Many bug fixes have also been made, read the full changelog for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
Follow us on our social media!
by Daniela Buxo | Sep 14, 2022 | News
A new GLPI version is available.
This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!
You can download the GLPI 10.0.3 archive on GitHub.
Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive.
You’ll find below the list of security issues fixed in this bugfixes version:
- XSS through registration API (CVE-2022-35945)
- Leak of sensitive information through login page error (CVE-2022-31143)
- Stored XSS through global search (CVE-2022-31187)
- Command injection using a third-party library script (CVE-2022-35914)
- SQL injection through plugin controller (CVE-2022-35946)
- Authentication via SQL injection (CVE-2022-35947)
- Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)
Also, here is a short list of main changes done in this version:
- More precise rights checks on inventory (#12610)
- Display of last inventoried value for locked fields (#12602)
- Permit to use rules to add computers as virtual machines (#12572)
- Delegate session cookies security to sysadmin (#12302)
- Prevent collector failure on invalid mail header (#12232)
- Many fixes on network inventory
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
