CVE-2021-39213
MEDIUMGLPI 9.1-9.5.5 - API Bypass via Custom Header Injection
Title source: llmDescription
GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/releases/tag/9.5.6
Third Party Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-6w9f-2m6g-5777
Scores
CVSS v3
6.8
EPSS
0.0035
EPSS Percentile
57.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-74
Status
published
Products (1)
glpi-project/glpi
9.1 - 9.5.6
Published
Sep 15, 2021
Tracked Since
Feb 18, 2026