Borelenzo

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.16 **Description** The issue is related to a SQL injection vulnerability in some AJAX scripts of the GLPI software. This vulnerability can be exploited by an authenticated user to alter another user's account data and take control of it. The vulnerability is caused by the incorrect neutralization of special elements used in SQL commands, allowing a remote attacker to modify user account data and gain control over it. **Recommendations** For versions prior to 10.0.16, upgrade to version 10.0.16 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable AJAX scripts until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.13 **Description** GLPI is a Free Asset and IT Management Software package that includes data center management, ITIL Service Desk, licenses tracking, and software auditing. An authenticated user can obtain the email address of all GLPI users. **Recommendations** For versions prior to 10.0.13, update to version 10.0.13 to resolve the issue. As a temporary workaround, consider restricting access to sensitive user information until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.13 **Description** The issue is related to insufficient authorization procedure in GLPI, a free asset and IT management software package. This allows an authenticated user to access sensitive fields data from items on which they have read access. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions prior to 10.0.13, update to version 10.0.13 to resolve the issue. As a temporary workaround, consider restricting access to sensitive fields data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.15 **Description** The issue concerns a SQL injection vulnerability that can be exploited by an authenticated user through the map search function. This vulnerability allows a remote attacker to disclose protected information due to the lack of protection measures for the SQL query structure. **Recommendations** For versions prior to 10.0.15, update to version 10.0.15 to resolve the issue. As a temporary workaround, consider restricting access to the map search function until the update is applied.