Login-Securite

**Name of the Vulnerable Software and Affected Versions** GLPI versions 11.0.0 through 11.0.5 **Description** GLPI is a free Asset and IT management software package. An authenticated user can perform a SQL injection. The SQL injection can be performed through unspecified vectors. **Recommendations** Update to version 11.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 11.0.0 through 11.0.5 **Description** GLPI is an Asset and IT management software package. A malicious actor with knowledge of a user's credentials can bypass Multi-Factor Authentication (MFA) and compromise the account. The issue affects versions starting from 11.0.0 up to, but not including, 11.0.6. **Recommendations** Update to GLPI version 11.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** GLPI Fields plugin versions prior to 1.23.3 **Description** The Fields plugin for GLPI allows users to add custom fields to GLPI item forms. Prior to version 1.23.3, users permitted to create dropdowns could execute arbitrary PHP code. This allows for the potential execution of malicious code through the creation of specially crafted dropdowns. The vulnerable component is the functionality related to creating dropdowns within the plugin. The `createDropdowns()` function is implicated in this issue. The vulnerable parameter is the input provided during dropdown creation. **Recommendations** Versions prior to 1.23.3 should be updated to version 1.23.3 or later.

**Name of the Vulnerable Software and Affected Versions** mreporting versions prior to 1.9.4 **Description** The mreporting GLPI plugin contains a possible SQL injection issue related to date changes. This affects the reporting functionality of the plugin. **Recommendations** Update to version 1.9.4 or later.