Silhusk

**Name of the Vulnerable Software and Affected Versions** GLPI versions 0.71 through 10.0.22 GLPI versions 0.71 through 11.0.4 **Description** GLPI is an asset and IT management software package. When remote authentication is used with Single Sign-On (SSO) variables, a user can potentially gain access to another user's existing GLPI session on the same machine. **Recommendations** Update GLPI to version 10.0.23 or later. Update GLPI to version 11.0.5 or later.

Name of the Vulnerable Software and Affected Versions: GLPI-Agent versions prior to 1.7.2 Description: A vulnerability in the GLPI-Agent, specifically affecting installations on Windows via MSI packaging, allows a local user to cause a denial of service by replacing the GLPI server URL with an incorrect one or by disabling the service. Furthermore, if the Deploy task is installed, a malicious local user can trigger privilege escalation by configuring a malicious server with its own deploy task payload. This issue is due to insufficient input validation. Recommendations: For versions prior to 1.7.2, update to version 1.7.2 to resolve the issue. As a temporary workaround, edit the GLPI-Agent related key under `HKEY LOCAL MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall` and add a `SystemComponent` DWORD value setting it to `1` to hide GLPI-Agent from installed applications.