Flegastelois

Name of the Vulnerable Software and Affected Versions: Addressing GLPI plugin versions 3.0.0 through 3.0.3 Description: The issue is related to a poor security check in the Addressing GLPI plugin, which allows an unauthenticated attacker to determine whether data exists by name in GLPI. This can potentially lead to unauthorized access to protected information. The vulnerability is associated with the use of external controlled input for selecting classes or code. Recommendations: For versions 3.0.0 through 3.0.3, update to version 3.0.3 or later to resolve the issue. At the moment, there is no information about other versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 10.0.0 through 10.0.7 **Description** The issue is related to a SQL injection attack that can be driven through the GLPI inventory endpoint, which by default requires no authentication. This allows a remote attacker to execute arbitrary code. The estimated number of potentially affected devices is not specified. **Recommendations** For versions 10.0.0 through 10.0.7, update to version 10.0.8 to resolve the issue. As a temporary workaround, consider disabling the native inventory endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 9.2.0 through 10.0.7 **Description** The issue is related to an incorrect rights check on a file accessible by an authenticated user, allowing access to view all KnowbaseItems. **Recommendations** For versions 9.2.0 through 10.0.7, update to version 10.0.8 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.68 through 10.0.7 **Description** The issue is related to an incorrect rights check on a file accessible by an authenticated user, allowing access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch. **Recommendations** For GLPI versions 0.68 through 10.0.7, upgrade to version 10.0.8 to receive a patch.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.80 through 10.0.7 **Description** The issue is related to a lack of protection against SQL injection attacks in the GLPI system, which manages IT assets and inventory. This can be exploited by a remote attacker to execute arbitrary code. The Computer Virtual Machine form and GLPI inventory request are specifically vulnerable to this type of attack. **Recommendations** For versions 0.80 through 10.0.7, update to version 10.0.8 to apply the patch for this issue. As a temporary workaround for versions 0.80 through 10.0.7, consider disabling native inventory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 9.5.0 through 10.0.7 **Description** The issue is related to inadequate access control in the GLPI system, which can be exploited by a remote attacker to modify or view dashboard data. This is due to an incorrect rights check on a file accessible by an authenticated user, or in some cases, without authentication. **Recommendations** For GLPI versions 9.5.0 through 10.0.7, update to version 10.0.8 to resolve the issue. As a temporary workaround, consider restricting access to the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 9.5.0 through 10.0.7 **Description** The issue is related to an incorrect rights check on a file in GLPI, a free asset and IT management software package. This allows an unauthenticated user to access dashboards data. The problem is associated with deficiencies in the authentication procedure, which can be exploited by a remote attacker to disclose protected information. **Recommendations** For versions 9.5.0 through 10.0.7, update to version 10.0.8, which contains a patch for this issue.