Description
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv
Patch, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/commit/ad66d69049ae02bead8ed0f4ee654a458643244e
Scores
CVSS v3
3.5
EPSS
0.0018
EPSS Percentile
39.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
glpi-project/glpi
< 10.0.3
Published
Sep 14, 2022
Tracked Since
Feb 18, 2026