A new GLPI version is available.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.8 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- SQL injection via inventory agent request (CVE-2023-35924).
- SQL injection through Computer Virtual Machine information (CVE-2023-36808).
- Unauthorized access to Dashboard data (CVE-2023-35939).
- Unauthenticated access to Dashboard data (CVE-2023-35940).
- Reflected XSS in search pages (CVE-2023-34244).
- Unauthorized access to knowledge base items (CVE-2023-34107).
- Unauthorized access to user data (CVE-2023-34106).
Also, here is a short list of main changes done in this version:
- Improve mail grouping (#14296)
- Add deleted status in item’s header (#14382)
- Add option to control the display of dropdowns labels (#14472)
- Permits to check DB schema from GLPI versions >= 0.80 (#14666)
- Improve performance of plugins init (#14511)
- Improve performance of kanban views (#14525, #14599, #14764)
- Ldap issues with PHP versions >= 8.1 (#14561)
- SLA waiting time duration (#14937)
- Notification encoding for MS Outlook (#14959)
- A lot of fixes in native inventory
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!