cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-25192,https://securityvulnerability.io/vulnerability/CVE-2025-25192,Sensitive Information Disclosure in GLPI IT Management Software,"GLPI, an open-source asset and IT management software, has a vulnerability that allows a low privileged user to enable debug mode and access sensitive information prior to version 10.0.18. This can expose system internals that should remain confidential, potentially compromising the integrity and security of the IT environment. Users are urged to update to version 10.0.18 or apply the recommended workaround of deleting the 'install/update.php' file to mitigate this risk.",GLPI Project,Glpi,6.5,MEDIUM,0.01,false,,false,false,false,,false,false,false,,2025-02-25T17:58:20.388Z,0
CVE-2025-23046,https://securityvulnerability.io/vulnerability/CVE-2025-23046,Authentication Bypass Vulnerability in GLPI IT Management Software,"GLPI, a widely-used free asset and IT management software, is susceptible to an authentication bypass issue. This vulnerability arises when a 'Mail servers' authentication provider is set up to utilize an Oauth connection through the OauthIMAP plugin. Prior to version 10.0.18, this flaw permits unauthorized users to connect to GLPI using a username associated with an Oauth authorization, potentially compromising system integrity. To mitigate this risk, it is recommended to upgrade to version 10.0.18, which includes a comprehensive patch, or disable the OauthIMAP plugin for 'Mail servers' authentication. More details can be found in the official advisory.",GLPI Project,Glpi,6.3,MEDIUM,0.01,false,,false,false,false,,false,false,false,,2025-02-25T17:48:17.801Z,0
CVE-2025-23024,https://securityvulnerability.io/vulnerability/CVE-2025-23024,Plugin Disabling Vulnerability in GLPI Asset Management Software,"GLPI, an open-source asset and IT management software, is susceptible to a vulnerability that allows anonymous users to disable all active plugins. This issue affects versions from 0.72 up to 10.0.17. A patch was released in version 10.0.18 to address this vulnerability. For immediate mitigation, users can remove the `install/update.php` file as a workaround.",GLPI Project,Glpi,6.9,MEDIUM,0.01,false,,false,false,false,,false,false,false,,2025-02-25T15:47:32.768Z,0
CVE-2025-21627,https://securityvulnerability.io/vulnerability/CVE-2025-21627,Reflected XSS Vulnerability in GLPI IT Management Software,"GLPI, a popular free asset and IT management software, is susceptible to a reflected XSS vulnerability in versions prior to 10.0.18. This security issue arises from the search page, where an attacker can craft a malicious link to exploit the vulnerability, especially if anonymous ticket creation is enabled. As a result, an unauthenticated user can potentially execute malicious scripts, compromising the security of the application and its users. The vulnerability has been addressed in version 10.0.18, which includes a fix to mitigate this risk.",GLPI Project,Glpi,6.5,MEDIUM,0.01,false,,false,false,false,,false,false,false,,2025-02-25T15:43:34.919Z,0
CVE-2025-21626,https://securityvulnerability.io/vulnerability/CVE-2025-21626,Sensitive Information Exposure in GLPI IT Management Software,"GLPI, a widely used free asset and IT management software, is susceptible to a vulnerability that allows anonymous users to access sensitive information via the `status.php` endpoint. This flaw is present in versions from 0.71 up to 10.0.17. The issue can lead to unauthorized disclosure of critical data, impacting the security of the system. Version 10.0.18 resolves this vulnerability. As immediate workarounds, users are advised to delete the `status.php` file, restrict access to it, or sanitize any sensitive values from the `name` field of active LDAP directories and mail authentication providers.",GLPI Project,Glpi,5.8,MEDIUM,0.01,false,,false,false,false,,false,false,false,,2025-02-25T15:37:27.689Z,0
CVE-2024-11955,https://securityvulnerability.io/vulnerability/CVE-2024-11955,Open Redirect Vulnerability in GLPI by GLPI Project,"A vulnerability exists in GLPI versions up to 10.0.17, specifically within the /index.php file. This issue stems from improper handling of the 'redirect' argument, allowing an attacker to execute a remote open redirect. Publicly disclosed exploits could be utilized, highlighting the urgency for users to upgrade to GLPI version 10.0.18 or later to mitigate this security risk.",GLPI Project,Glpi,5.3,MEDIUM,0.01,false,,false,false,false,,false,false,false,,2025-02-25T15:07:56.854Z,0
CVE-2024-50339,https://securityvulnerability.io/vulnerability/CVE-2024-50339,Unauthenticated Session Theft Vulnerability in GLPI IT Management Software,"A session hijacking vulnerability exists in GLPI, a widely used IT asset management software, where an unauthenticated user can exploit the flaw to access valid session IDs. This enables unauthorized access to user sessions without the need for authentication. The issue affects versions from 9.5.0 up to but not including 10.0.17. The vulnerability has been addressed in version 10.0.17, which includes security enhancements to prevent session ID retrieval. Users are encouraged to update to this version to mitigate potential risks.",Glpi-project,Glpi,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-12-12T02:06:00.000Z,67
CVE-2024-48912,https://securityvulnerability.io/vulnerability/CVE-2024-48912,GLPI: Security Patch Released for Delete User Account Vulnerability,"GLPI, an asset and IT management software, is susceptible to a serious flaw that permits an authenticated user to delete any user account via an application endpoint. This vulnerability affects versions 10.0.0 to 10.0.16, with version 10.0.17 incorporating a fix. It poses significant risks as it could lead to unauthorized account deletions, impacting user management and operational integrity.",Glpi-project,Glpi,8.1,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-12-11T17:03:10.014Z,0
CVE-2024-47761,https://securityvulnerability.io/vulnerability/CVE-2024-47761,GLPI patches vulnerability in IT management software,An administrator with access to the contents of sent notifications in GLPI can exploit a vulnerability that enables them to gain control of higher-privileged accounts. This issue affects versions from 0.80 up to 10.0.16 and has been rectified in version 10.0.17. It is crucial for users of GLPI to update to the latest version to mitigate potential security risks.,Glpi-project,Glpi,7.2,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-12-11T17:00:49.124Z,0
CVE-2024-47760,https://securityvulnerability.io/vulnerability/CVE-2024-47760,Security Vulnerability in IT Management Software Package,"GLPI, an open-source asset and IT management software, has a vulnerability that allows a technician with API access to gain control over accounts with elevated privileges. This occurs in versions 9.1.0 through 10.0.16, posing a significant security risk. The issue has been remedied in version 10.0.17, which includes necessary patches to mitigate the threat.",Glpi-project,Glpi,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-12-11T16:56:57.600Z,0
CVE-2024-47758,https://securityvulnerability.io/vulnerability/CVE-2024-47758,GLPI Vulnerability Allows Take Over of User Accounts,"GLPI, a popular free asset and IT management software, contains a vulnerability that allows authenticated users to exploit the API. Specifically, users with the same or lower privilege levels can assume control over each other's accounts, leading to potential unauthorized access and manipulation of sensitive data. This security issue affects versions from 9.3.0 up to and including 10.0.16. Fortunately, version 10.0.17 provides a patch addressing this critical flaw, ensuring enhanced protection against such vulnerabilities.",Glpi-project,Glpi,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-12-11T15:50:22.285Z,0
CVE-2024-43416,https://securityvulnerability.io/vulnerability/CVE-2024-43416,Information Disclosure Vulnerability in GLPI Asset Management Software,"GLPI, a free asset and IT management software package, is susceptible to an information disclosure vulnerability. This flaw enables unauthenticated users to utilize a specific application endpoint to determine whether an email address is associated with an existing GLPI user. Users of GLPI versions prior to 10.0.17 are advised to update to the latest version to mitigate this risk.",GLPI Project,Glpi,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-11-18T17:15:00.000Z,0
CVE-2024-45611,https://securityvulnerability.io/vulnerability/CVE-2024-45611,GLPI vulnerability allows unauthorized access through RSS feed,"GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.",Glpi-project,Glpi,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-11-15T21:15:00.000Z,0
CVE-2024-43417,https://securityvulnerability.io/vulnerability/CVE-2024-43417,Reflected XSS Vulnerability in GLPI Software Management by GLPI Project,"GLPI, an open-source asset and IT management software, is susceptible to a reflected XSS vulnerability. This security flaw allows unauthenticated users to exploit the software by sending malicious links to GLPI technicians. When these links are clicked, the affected technician's session could be compromised, potentially leading to unauthorized access to sensitive data. It is crucial for users to upgrade to version 10.0.17 to mitigate this risk and enhance their system's security.",Glpi-project,Glpi,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-11-15T19:15:00.000Z,0
CVE-2024-43418,https://securityvulnerability.io/vulnerability/CVE-2024-43418,Reflected XSS Vulnerability in GLPI IT Management Software,"A reflected XSS vulnerability exists in the GLPI IT management software, allowing an unauthenticated attacker to exploit this weakness. By crafting a malicious link, an attacker could trick a GLPI technician into clicking it, potentially executing arbitrary JavaScript in the context of the user's session. It is crucial for users to upgrade to version 10.0.17 or later to mitigate this risk and enhance the security of their GLPI environment.",Glpi-project,Glpi,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-11-15T19:15:00.000Z,0
CVE-2024-45608,https://securityvulnerability.io/vulnerability/CVE-2024-45608,SQL Injection Vulnerability in GLPI Asset Management Software,"An authentication-based SQL injection vulnerability is present in the GLPI asset and IT management software. By altering their preferences, authenticated users can exploit this flaw, potentially allowing unauthorized access to sensitive data. It is important for users operating on versions prior to 10.0.17 to upgrade to this version to mitigate the risk posed by this vulnerability. For more detailed information, refer to the security advisory linked in the references.",Glpi-project,Glpi,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-11-15T19:15:00.000Z,0
CVE-2024-41679,https://securityvulnerability.io/vulnerability/CVE-2024-41679,SQL Injection Vulnerability in GLPI Asset Management Software by GLPI Project,"An SQL injection vulnerability exists in GLPI, a widely used asset and IT management software package. An attacker with authenticated access can exploit this vulnerability through the ticket form to execute arbitrary SQL commands. This can lead to unauthorized data access or manipulation, which poses significant risks to the security and integrity of the IT infrastructure. Users and administrators are advised to upgrade to version 10.0.17 or later to mitigate the impact of this vulnerability.",Glpi-project,Glpi,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-11-15T19:15:00.000Z,0
CVE-2024-40638,https://securityvulnerability.io/vulnerability/CVE-2024-40638,GLPI allows account takeover via SQL Injection in AJAX scripts,"Multiple SQL injection vulnerabilities have been identified in GLPI, a widely used open-source asset and IT management software package. These vulnerabilities can be exploited by authenticated users, enabling them to manipulate account data and potentially take control of another user's account. It is essential for users of GLPI to upgrade to version 10.0.17 to mitigate these risks and secure their systems against unauthorized access.",Glpi-project,Glpi,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-11-15T18:15:00.000Z,0
CVE-2024-47759,https://securityvulnerability.io/vulnerability/CVE-2024-47759,GLPI  has a stored XSS via document upload,GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.,Glpi-project,Glpi,4.8,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-11-15T18:15:00.000Z,0
CVE-2024-41678,https://securityvulnerability.io/vulnerability/CVE-2024-41678,Reflected XSS Vulnerability in GLPI IT Management Software,"GLPI, a free asset and IT management software, has a reflected XSS vulnerability that allows an unauthenticated user to send a specially crafted link to a GLPI technician. If exploited, this vulnerability could lead to unauthorized actions being performed with the permissions of the technician. The issue affects versions of GLPI prior to 10.0.17, emphasizing the importance of upgrading to this version to mitigate the risk.",Glpi-project,Glpi,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-11-15T18:15:00.000Z,0
CVE-2024-37149,https://securityvulnerability.io/vulnerability/CVE-2024-37149,Hijacking vulnerability in GLPI asset management software,"GLPI is an open-source asset and IT management software that includes ITIL Service Desk features, license tracking, and software auditing capabilities. A vulnerability exists where an authenticated technician user can upload a malicious PHP script, thereby hijacking the plugin loader. This allows the executed script to run with the privileges of the authenticated user, posing significant risks to the integrity and security of the system. Users are advised to upgrade to version 10.0.16 to mitigate this vulnerability.",Glpi-project,Glpi,8.8,HIGH,0.0004900000058114529,false,,false,false,false,,,false,false,,2024-07-10T19:20:36.161Z,0
CVE-2024-37148,https://securityvulnerability.io/vulnerability/CVE-2024-37148," SQL Injection Vulnerability Affects GLPI Asset Management Software","An SQL injection vulnerability in the GLPI asset and IT management software allows authenticated users to execute arbitrary SQL queries through specific AJAX scripts. This issue can lead to unauthorized alterations of user account data, potentially giving an attacker the ability to take control over other user accounts. To mitigate this risk, users are strongly advised to upgrade to GLPI version 10.0.16 or later.",Glpi-project,Glpi,8.1,HIGH,0.0005000000237487257,false,,false,false,false,,,false,false,,2024-07-10T19:18:09.444Z,0
CVE-2024-37147,https://securityvulnerability.io/vulnerability/CVE-2024-37147,Attach Documents to Items Without Write Access,"GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.",Glpi-project,Glpi,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-07-10T18:38:37.588Z,0
CVE-2024-31456,https://securityvulnerability.io/vulnerability/CVE-2024-31456,GLPI Fixes SQL Injection Vulnerability in Map Search,"GLPI, an open-source asset and IT management software, is susceptible to a SQL injection vulnerability that affects versions prior to 10.0.15. The flaw enables authenticated users to execute malicious SQL queries through the map search functionality, potentially leading to unauthorized data access or manipulation. It is crucial for users of GLPI to upgrade to the fixed version 10.0.15 to mitigate this risk and ensure the integrity of their data management operations.",Glpi-project,Glpi,6.5,MEDIUM,0.0004900000058114529,false,,false,false,false,,,false,false,,2024-05-07T14:07:08.277Z,0
CVE-2024-29889,https://securityvulnerability.io/vulnerability/CVE-2024-29889,SQL Injection Vulnerability in Saved Searches Feature Allows User Data Tampering and Takeover,"GLPI, a widely used asset and IT management software, features a SQL injection vulnerability that impacts the saved searches functionality. This issue permits an authenticated user to manipulate another user's account information, potentially leading to unauthorized control over that account. The vulnerability affects users of GLPI prior to version 10.0.15, which has since implemented fixes to address this security flaw.",Glpi-project,Glpi,8.1,HIGH,0.3650600016117096,false,,false,false,false,,,false,false,,2024-05-07T14:05:31.713Z,0