Headline
CVE-2023-42802: Release 10.0.10 · glpi-project/glpi
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on /ajax and /front files to the web server.
This is a security release, upgrading is recommended
This release fixes a security issue that has been recently discovered. Update is recommended!
You can download the GLPI 10.0.10 archive on GitHub.
You will find below security issues fixed in this bugfixes version:
- [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
- [SECURITY - High] Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
- [SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326).
- [SECURITY - High] Account takeover through API (CVE-2023-41324).
- [SECURITY - High] File deletion through document upload process (CVE-2023-42462).
- [SECURITY - Moderate] Sensitive fields enumeration through API (CVE-2023-41321).
- [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-41322).
- [SECURITY - Moderate] Users login enumeration by unauthenticated user (CVE-2023-41323).
- [SECURITY - Moderate] Phishing through a login page malicious URL (CVE-2023-41888).
- [SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461).
Also, here is a short list of main changes done in this version:
- [FEATURE] PHP 8.3 and MySQL 8.1 support.
- [FEATURE] Enable usage of images in rich text of followups/tasks/solution templates.
- [PERFORMANCES] Improve ticket timeline rendering performances.
- [FIX] Fix issues with usage of LDAP bind options.
- [FIX] Fix some issues on SLA/OLA escalation levels computation.
- [FIX] Fix some issues on search on numeric and dates fields.
- Several minor fixes
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
Related news
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.