Cédric Anne

34 exploits Active since Jul 2019
CVE-2019-13240 WRITEUP MEDIUM WRITEUP
GLPI < 9.4.1 - Weak Password Recovery Mechanism for Forgotten Password
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
CVSS 5.9
CVE-2020-15175 WRITEUP HIGH WRITEUP
GLPI < 9.5.2 - Unauthenticated Arbitrary File Deletion and Information Disclosure via pluginimage.send.php
In GLPI before version 9.5.2, the `​pluginimage.send.php​` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
CVSS 7.4
CVE-2024-23645 WRITEUP MEDIUM WRITEUP
GLPI 0.65-10.0.11 - Cross-Site Scripting via Reports Page URL
GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.
CVSS 6.5
CVE-2024-27914 WRITEUP MEDIUM WRITEUP
GLPI 10.0.8-10.0.12 - Unauthenticated Reflected Cross-Site Scripting via Debug Bar
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.
CVSS 5.3
CVE-2024-43416 WRITEUP HIGH WRITEUP
GLPI 0.80-10.0.16 - Unauthenticated User Email Enumeration via Application Endpoint
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
CVSS 7.5
CVE-2025-64516 WRITEUP HIGH WRITEUP
GLPI 10.0.0-10.0.20 - Unauthenticated Document Access via Public FAQ
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
CVSS 7.5
CVE-2025-64516 WRITEUP HIGH WRITEUP
GLPI 10.0.0-10.0.20 - Unauthenticated Document Access via Public FAQ
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
CVSS 7.5
CVE-2020-15176 WRITEUP HIGH WRITEUP
GLPI < 9.5.2 - SQL Injection via Backtick Input
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
CVSS 8.7
CVE-2020-15177 WRITEUP HIGH WRITEUP
GLPI < 9.5.2 - Unauthenticated Stored Cross-Site Scripting and Insecure Redirection via url_base Parameter
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
CVSS 8.0
CVE-2020-15217 WRITEUP MEDIUM WRITEUP
GLPI 9.5.0-9.5.2 - Unauthenticated User Information Leakage via Public FAQ
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
CVSS 5.3
CVE-2020-15226 WRITEUP MEDIUM WRITEUP
GLPI < 9.5.2 - Authenticated SQL Injection via API Search Function
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
CVSS 5.0
CVE-2020-26212 WRITEUP HIGH WRITEUP
GLPI < 9.5.3 - Authenticated Unauthorized Planning Access via CalDAV
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.
CVSS 7.7
CVE-2022-21720 WRITEUP MEDIUM WRITEUP
GLPI < 9.5.7 - Authenticated SQL Injection
GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.
CVSS 4.9
CVE-2022-24868 WRITEUP HIGH WRITEUP
GLPI < 10.0.0 - Stored Cross-Site Scripting via SVG Avatar Upload
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
CVSS 7.3
CVE-2022-24869 WRITEUP MEDIUM WRITEUP
GLPI < 10.0.0 - Cross-Site Scripting via Ticket Followups or Login Message Stylesheet Link
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.
CVSS 4.6
CVE-2022-24876 WRITEUP MEDIUM WRITEUP
GLPI - Stored Cross-Site Scripting via Kanban User Name
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a cross site scripting vulnerability in Kanban by injecting HTML code in its user name. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 5.4
CVE-2022-31082 WRITEUP MEDIUM WRITEUP
glpi-inventory-plugin < 1.0.2 - SQL Injection via Package Deployment Tasks
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.
CVSS 5.8
CVE-2022-31187 WRITEUP MEDIUM WRITEUP
GLPI < 10.0.3 - Cross-Site Scripting in Global Search
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions were found to not properly neutralize HTML tags in the global search context. Users are advised to upgrade to version 10.0.3 to resolve this issue. Users unable to upgrade should disable global search.
CVSS 6.8
CVE-2022-35945 WRITEUP MEDIUM WRITEUP
GLPI < 10.0.3 - Stored Cross-Site Scripting in Registration Key Configuration Page
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator cookie. Users are advised to upgrade to 10.0.3. There are no known workarounds for this issue. ### Workarounds Do not use a registration key created by an untrusted person.
CVSS 6.3
CVE-2022-35946 WRITEUP MEDIUM WRITEUP
GLPI < 10.0.3 - Authenticated SQL Injection via Plugin Controller
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have "General setup" update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the `front/plugin.form.php` script.
CVSS 5.5
CVE-2022-35947 WRITEUP CRITICAL WRITEUP
GLPI < 10.0.3 - SQL Injection via External Token Login Simulation
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.
CVSS 10.0
CVE-2023-28633 WRITEUP LOW WRITEUP
GLPI 0.84-9.5.12 - Server-Side Request Forgery via RSS Feed Autodiscovery
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
CVSS 3.5
CVE-2023-28855 WRITEUP MEDIUM WRITEUP
Fields <1.13.1-1.20.4 - Privilege Escalation
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
CVSS 6.5
CVE-2023-29006 WRITEUP HIGH WRITEUP
GLPI Order GLPI <2.7.7-2.10.1 - Command Injection
The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin.
CVSS 8.8
CVE-2023-43813 WRITEUP MEDIUM WRITEUP
GLPI 10.0.0-10.0.10 - SQL Injection via Saved Search Feature
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.
CVSS 6.5