CVE-2021-39211

MEDIUM EXPLOITED NUCLEI

Glpi < 9.5.6 - Information Disclosure

Title source: rule

Description

GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.

Nuclei Templates (1)

GLPI 9.2/<9.5.6 - Information Disclosure

MEDIUMby dogasantos,noraj

Shodan: http.title:"glpi" || http.favicon.hash:"-1474875778"

FOFA: icon_hash="-1474875778" || title="glpi"

References (2)

[Release Notes, Third Party Advisory] https://github.com/glpi-project/glpi/releases/tag/9.5.6

[Third Party Advisory] https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825

Scores

CVSS v3 5.3

EPSS 0.3892

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2023-11-13

CWE

CWE-200

Status published

Products (1)

glpi-project/glpi 9.2 - 9.5.6

Published Sep 15, 2021

Tracked Since Feb 18, 2026