Cédric Anne

34 exploits Active since Jul 2019
CVE-2023-46726 WRITEUP HIGH WRITEUP
GLPI 10.0.0-10.0.10 - Remote Code Execution via LDAP Server Configuration Form
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
CVSS 7.2
CVE-2023-51446 WRITEUP MEDIUM WRITEUP
GLPI 0.70-10.0.11 - LDAP Injection via Authentication Form
GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.
CVSS 5.9
CVE-2024-23645 WRITEUP MEDIUM WRITEUP
GLPI 0.65-10.0.11 - Cross-Site Scripting via Reports Page URL
GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.
CVSS 6.5
CVE-2024-27098 WRITEUP MEDIUM WRITEUP
GLPI 9.5.0-10.0.12 - Authenticated Server-Side Request Forgery via Arbitrary Object Instantiation
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.
CVSS 6.4
CVE-2024-27104 WRITEUP MEDIUM WRITEUP
GLPI 9.5.0-10.0.12 - Stored Cross-Site Scripting via Dashboard Sharing
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.
CVSS 4.5
CVE-2024-27930 WRITEUP MEDIUM WRITEUP
GLPI 0.78-10.0.12 - Authenticated Sensitive Data Exposure via Item Field Access
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.
CVSS 6.5
CVE-2024-27937 WRITEUP MEDIUM WRITEUP
GLPI 10.0.0-10.0.12 - Authenticated Email Address Disclosure
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.
CVSS 6.5
CVE-2024-29889 WRITEUP HIGH WRITEUP
GLPI 10.0.10-10.0.14 - Authenticated SQL Injection via Saved Searches Feature
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.
CVSS 7.1
CVE-2025-53360 WRITEUP MEDIUM WRITEUP
pluginsGLPI's Database Inventory Plugin <1.0.3 - Privilege Escalation
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. In versions prior to 1.0.3, any authenticated user could send requests to agents. This issue has been patched in version 1.0.3.
CVSS 4.3