diff options
| author | Tomáš Čiernik <tomas@ciernik.sk> | 2024-04-25 10:18:00 +0000 |
|---|---|---|
| committer | Philip Paeps <philip@FreeBSD.org> | 2024-04-25 11:16:00 +0000 |
| commit | 539ca10aa3f0e80f78b1e684815c2a8d1b74da40 (patch) | |
| tree | 0032e5e7ce0801e6b39a5790d98f6fb61806259c | |
| parent | d91af4df818e213c806e878d983195d0e6736faf (diff) | |
| download | ports-539ca10aa3f0e80f78b1e684815c2a8d1b74da40.tar.gz ports-539ca10aa3f0e80f78b1e684815c2a8d1b74da40.zip | |
security/vuxml: correct historical www/glpi entries
Several older entries for www/glpi had incorrect version ranges, causing
pkg audit to complain about false positives. This corrects the older
entries and adds some missing ones.
PR: 278549
| -rw-r--r-- | security/vuxml/vuln/2020.xml | 70 | ||||
| -rw-r--r-- | security/vuxml/vuln/2023.xml | 3 | ||||
| -rw-r--r-- | security/vuxml/vuln/2024.xml | 555 |
3 files changed, 597 insertions, 31 deletions
diff --git a/security/vuxml/vuln/2020.xml b/security/vuxml/vuln/2020.xml index c91206e3c661..138f108b0578 100644 --- a/security/vuxml/vuln/2020.xml +++ b/security/vuxml/vuln/2020.xml @@ -386,7 +386,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.4.6</lt></range> + <range><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -405,6 +405,7 @@ <dates> <discovery>2020-01-02</discovery> <entry>2020-01-02</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -413,7 +414,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.5.3</lt></range> + <range><lt>9.5.3,1</lt></range> </package> </affects> <description> @@ -431,6 +432,7 @@ <dates> <discovery>2020-10-22</discovery> <entry>2020-10-22</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -439,7 +441,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.5.3</lt></range> + <range><lt>9.5.3,1</lt></range> </package> </affects> <description> @@ -457,6 +459,7 @@ <dates> <discovery>2020-10-22</discovery> <entry>2020-10-22</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -465,8 +468,7 @@ <affects> <package> <name>glpi</name> - <range><gt>9.5.0</gt></range> - <range><lt>9.5.3</lt></range> + <range><ge>9.5.0,1</ge><lt>9.5.3,1</lt></range> </package> </affects> <description> @@ -486,6 +488,7 @@ <dates> <discovery>2020-10-01</discovery> <entry>2020-10-01</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -494,8 +497,7 @@ <affects> <package> <name>glpi</name> - <range><gt>9.1</gt></range> - <range><lt>9.5.2</lt></range> + <range><ge>9.1,1</ge><lt>9.5.2,1</lt></range> </package> </affects> <description> @@ -514,6 +516,7 @@ <dates> <discovery>2020-06-25</discovery> <entry>2020-06-25</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -522,8 +525,7 @@ <affects> <package> <name>glpi</name> - <range><gt>9.5.0</gt></range> - <range><lt>9.5.2</lt></range> + <range><ge>9.5.0,1</ge><lt>9.5.2,1</lt></range> </package> </affects> <description> @@ -542,6 +544,7 @@ <dates> <discovery>2020-06-25</discovery> <entry>2020-06-25</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -550,8 +553,7 @@ <affects> <package> <name>glpi</name> - <range><gt>0.65</gt></range> - <range><lt>9.5.2</lt></range> + <range><lt>9.5.2,1</lt></range> </package> </affects> <description> @@ -570,6 +572,7 @@ <dates> <discovery>2020-06-25</discovery> <entry>2020-06-25</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -578,8 +581,7 @@ <affects> <package> <name>glpi</name> - <range><gt>0.68</gt></range> - <range><lt>9.5.2</lt></range> + <range><lt>9.5.2,1</lt></range> </package> </affects> <description> @@ -598,6 +600,7 @@ <dates> <discovery>2020-06-25</discovery> <entry>2020-06-25</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -606,8 +609,7 @@ <affects> <package> <name>glpi</name> - <range><gt>0.70</gt></range> - <range><lt>9.5.2</lt></range> + <range><lt>9.5.2,1</lt></range> </package> </affects> <description> @@ -626,6 +628,7 @@ <dates> <discovery>2020-06-25</discovery> <entry>2020-06-25</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -634,8 +637,7 @@ <affects> <package> <name>glpi</name> - <range><gt>9.5.0</gt></range> - <range><lt>9.5.1</lt></range> + <range><ge>9.5.0,1</ge><lt>9.5.1,1</lt></range> </package> </affects> <description> @@ -655,6 +657,7 @@ <dates> <discovery>2020-06-25</discovery> <entry>2020-06-25</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -663,8 +666,7 @@ <affects> <package> <name>glpi</name> - <range><gt>0.68.1</gt></range> - <range><lt>9.4.6</lt></range> + <range><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -683,6 +685,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -691,7 +694,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.4.6</lt></range> + <range><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -710,6 +713,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -718,7 +722,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.4.6</lt></range> + <range><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -738,6 +742,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -746,8 +751,7 @@ <affects> <package> <name>glpi</name> - <range><gt>0.83.3</gt></range> - <range><lt>9.4.6</lt></range> + <range><ge>0.83.3,1</ge><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -767,6 +771,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -775,7 +780,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.4.6</lt></range> + <range><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -795,6 +800,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -803,8 +809,7 @@ <affects> <package> <name>glpi</name> - <range><gt>9.1</gt></range> - <range><lt>9.4.6</lt></range> + <range><ge>9.1,1</ge><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -824,6 +829,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -832,7 +838,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.4.6</lt></range> + <range><lt>9.4.6,1</lt></range> </package> </affects> <description> @@ -850,6 +856,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -858,7 +865,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.5.0</lt></range> + <range><lt>9.5.0,1</lt></range> </package> </affects> <description> @@ -878,6 +885,7 @@ <dates> <discovery>2020-03-30</discovery> <entry>2020-03-30</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -886,7 +894,7 @@ <affects> <package> <name>glpi</name> - <range><lt>9.4.4</lt></range> + <range><lt>9.4.4,1</lt></range> </package> </affects> <description> @@ -906,6 +914,7 @@ <dates> <discovery>2019-08-05</discovery> <entry>2019-08-05</entry> + <modified>2024-04-25</modified> </dates> </vuln> @@ -9011,7 +9020,7 @@ Workaround: <affects> <package> <name>glpi</name> - <range><lt>9.4.3</lt></range> + <range><lt>9.4.3,1</lt></range> </package> </affects> <description> @@ -9031,6 +9040,7 @@ Workaround: <dates> <discovery>2019-02-25</discovery> <entry>2020-05-09</entry> + <modified>2024-04-25</modified> </dates> </vuln> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index d9b02f61c794..74e0306ae776 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -8265,7 +8265,7 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). <affects> <package> <name>glpi</name> - <range><lt>10.0.7</lt></range> + <range><lt>10.0.7,1</lt></range> </package> </affects> <description> @@ -8305,6 +8305,7 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). <dates> <discovery>2023-03-20</discovery> <entry>2023-05-08</entry> + <modified>2024-04-25</modified> </dates> </vuln> diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index c28463cdfc36..ed943beccb02 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,558 @@ + <vuln vid="10e86b16-6836-11ee-b06f-0050569ceb3a"> + <topic>Unallowed PHP script execution in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>From the GLPI 10.0.10 Changelog:</p> + <blockquote + cite="https://github.com/glpi-project/glpi/releases/tag/10.0.10"> + <p>You will find below security issues fixed in this bugfixes version: + [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).</p> + </blockquote> + <p>The mentioned CVE is invalid</p> + </body> + </description> + <references> + <cvename>CVE-2023-42802</cvename> + <url>https://github.com/glpi-project/glpi/releases/tag/10.0.10</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="894f2491-6834-11ee-b06f-0050569ceb3a"> + <topic>glpi-project -- SQL injection in ITIL actors in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The ITIL + actors input field from the Ticket form can be used to perform a + SQL injection. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-42461</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-42461</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="54e5573a-6834-11ee-b06f-0050569ceb3a"> + <topic>Phishing through a login page malicious URL in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>10.0.8,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The lack + of path filtering on the GLPI URL may allow an attacker to transmit + a malicious URL of login page that can be used to attempt a phishing + attack on user credentials. Users are advised to upgrade to version + 10.0.10. There are no known workarounds for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41888</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41888</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="20302cbc-6834-11ee-b06f-0050569ceb3a"> + <topic>Users login enumeration by unauthenticated user in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An + unauthenticated user can enumerate users logins. Users are advised + to upgrade to version 10.0.10. There are no known workarounds for + this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41323</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41323</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="ae8b1445-6833-11ee-b06f-0050569ceb3a"> + <topic>Privilege Escalation from technician to super-admin in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.1.0,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. A user + with write access to another user can make requests to change the + latter's password and then take control of their account. + Users are advised to upgrade to version 10.0.10. There are no known + work around for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41322</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41322</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="6851f3bb-6833-11ee-b06f-0050569ceb3a"> + <topic>Sensitive fields enumeration through API in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.1.1,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An API + user can enumerate sensitive fields values on resources on which + he has read access. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41321</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41321</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="df71f5aa-6831-11ee-b06f-0050569ceb3a"> + <topic>File deletion through document upload process in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. The document + upload process can be diverted to delete some files. Users are + advised to upgrade to version 10.0.10. There are no known workarounds + for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-42462</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-42462</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="95c4ec45-6831-11ee-b06f-0050569ceb3a"> + <topic>Account takeover through API in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.3.0,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. An API + user that have read access on users resource can steal accounts of + other users. Users are advised to upgrade to version 10.0.10. + There are no known workarounds for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41324</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41324</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="040e69f1-6831-11ee-b06f-0050569ceb3a"> + <topic>Account takeover via Kanban feature in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.5.0,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. A logged + user from any profile can hijack the Kanban feature to alter any + user field, and end-up with stealing its account. Users are advised + to upgrade to version 10.0.10. There are no known workarounds for + this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41326</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41326</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="6f6518ab-6830-11ee-b06f-0050569ceb3a"> + <topic>Account takeover via SQL Injection in UI layout preferences in GLPI</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>10.0.0,1</ge><lt>10.0.10,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/security/advisories/GHSA-mv2r-gpw3-g476"> + <p>GLPI stands for Gestionnaire Libre de Parc Informatique is a Free + Asset and IT Management Software package, that provides ITIL Service + Desk features, licenses tracking and software auditing. UI layout + preferences management can be hijacked to lead to SQL injection. + This injection can be use to takeover an administrator account. + Users are advised to upgrade to version 10.0.10. There are no known + workarounds for this vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-41320</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-41320</url> + </references> + <dates> + <discovery>2023-09-27</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="257e1bf0-682f-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to SQL injection via dashboard administration</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.5.0,1</ge><lt>10.0.9,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.9"> + <p>GLPI is a Free Asset and IT Management Software package, Data center + management, ITIL Service Desk, licenses tracking and software + auditing. An administrator can trigger SQL injection via dashboards + administration. This vulnerability has been patched in version + 10.0.9. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-37278</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-37278</url> + </references> + <dates> + <discovery>2023-07-13</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="40173815-6827-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to unauthorized access to User data</topic> + <affects> + <package> + <name>glpi</name> + <range><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Versions + of the software starting with 0.68 and prior to 10.0.8 have an + incorrect rights check on a on a file accessible by an authenticated + user. This allows access to the list of all users and their personal + information. Users should upgrade to version 10.0.8 to receive a + patch.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-34106</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34106</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="1fe40200-6823-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to unauthorized access to KnowbaseItem data</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.2.0,1</ge><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Versions + of the software starting with 9.2.0 and prior to 10.0.8 have an + incorrect rights check on a on a file accessible by an authenticated + user, allows access to the view all KnowbaseItems. Version 10.0.8 + has a patch for this issue.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-34107</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34107</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="b14a6ddc-6821-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to reflected XSS in search pages</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.4.0,1</ge><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Starting + in version 9.4.0 and prior to version 10.0.8, a malicious link can + be crafted by an unauthenticated user that can exploit a reflected + XSS in case any authenticated user opens the crafted link. Users + should upgrade to version 10.0.8 to receive a patch.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-34244</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-34244</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="95fde6bc-6821-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to unauthenticated access to Dashboard data</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Starting + in version 9.5.0 and prior to version 10.0.8, an incorrect rights + check on a file allows an unauthenticated user to be able to access + dashboards data. Version 10.0.8 contains a patch for this issue.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-35940</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35940</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="717efd8a-6821-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to unauthorized access to Dashboard data</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>9.5.0,1</ge><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Starting + in version 9.5.0 and prior to version 10.0.8, an incorrect rights + check on a on a file accessible by an authenticated user (or not + for certain actions), allows a threat actor to interact, modify, + or see Dashboard data. Version 10.0.8 contains a patch for this + issue.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-35939</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35939</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="548a4163-6821-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to SQL injection through Computer Virtual Machine information</topic> + <affects> + <package> + <name>glpi</name> + <range><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Starting + in version 0.80 and prior to version 10.0.8, Computer Virtual Machine + form and GLPI inventory request can be used to perform a SQL injection + attack. Version 10.0.8 has a patch for this issue. As a workaround, + one may disable native inventory.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-36808</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-36808</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + + <vuln vid="e44e5ace-6820-11ee-b06f-0050569ceb3a"> + <topic>GLPI vulnerable to SQL injection via inventory agent request</topic> + <affects> + <package> + <name>glpi</name> + <range><ge>10.0.0,1</ge><lt>10.0.8,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.8"> + <p>GLPI is a free asset and IT management software package. Starting + in version 10.0.0 and prior to version 10.0.8, GLPI inventory + endpoint can be used to drive a SQL injection attack. By default, + GLPI inventory endpoint requires no authentication. Version 10.0.8 + has a patch for this issue. As a workaround, one may disable native + inventory.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-35924</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-35924</url> + </references> + <dates> + <discovery>2023-07-05</discovery> + <entry>2023-10-11</entry> + </dates> + </vuln> + <vuln vid="bdfa6c04-027a-11ef-9c21-901b0e9408dc"> <topic>py-matrix-synapse -- weakness in auth chain indexing allows DoS</topic> <affects> |