Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28849: Release 10.0.7 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

CVE
#sql#xss#web#git#php#ldap#ssrf#oauth#auth

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
  • [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
  • [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
  • [SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
  • [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
  • [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
  • [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
  • [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

  • [SECURITY] Optional GLPI router to be able to use a safer web server root directory.
  • [FEATURE] Support of SMTP OAuth authentication.
  • [FEATURE] Improved inventory file upload feature.
  • [FIX] Many fixes and improvements on native inventory.
  • [FIX] Some bugs on PHP 8.2.
  • [FIX] Caching issues on entities.
  • [FIX] Boolean FullText operator not working on knowledge base search.
  • [FIX] Unexpected search results when using negative condition on ticket actors.
  • [FIX] Issues with LDAP filters/DN.
  • [FIX] Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

Related news

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE-2023-28632: Release 9.5.13 · glpi-project/glpi

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907