Qbiguenet

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.17 **Description** The issue is related to insufficient protection of the web page structure and inadequate data sanitization in GLPI, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. This can be achieved by uploading a malicious SVG script, which will be executed when a user attempts to view the document contents. **Recommendations** For versions prior to 10.0.17, upgrade to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files or disabling the functionality that allows technicians to upload documents until a patch is applied. Avoid using the affected functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.80 through 10.0.16 **Description** The issue is related to a lack of password recovery mechanism in the GLPI system, which can be exploited by a remote attacker to bypass existing security restrictions. An administrator with access to the contents of sent notifications can take control of an account with higher privileges. **Recommendations** For GLPI versions 0.80 through 10.0.16, update to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting access to the notification contents for administrators to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 9.1.0 through 10.0.16 **Description** The issue is related to incorrect access control in the GLPI system, which can allow a remote attacker to exploit the vulnerability and potentially disclose confidential information. A technician with access to the API can take control of an account with higher privileges. **Recommendations** For GLPI versions 9.1.0 through 10.0.16, update to version 10.0.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the API to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.3.0 through 10.0.16 Description: The issue is related to incorrect access control in the GLPI system, which can be exploited by a remote attacker to gain unauthorized access to an account through the API. An authenticated user can use the API to take control of any user with the same or lower level of privileges. Recommendations: For GLPI versions 9.3.0 through 10.0.16, update to version 10.0.17 or later to resolve the issue. As a temporary workaround, consider restricting API access to minimize the risk of exploitation.