| Max CVSS | 6.4 | Min CVSS | 3.5 | Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published | |
| CVE-2020-11035 | 6.4 |
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
|
26-10-2021 - 20:01 | 05-05-2020 - 22:15 | |
| CVE-2020-11033 | 6.0 |
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalat
|
14-09-2021 - 14:09 | 05-05-2020 - 22:15 | |
| CVE-2020-11036 | 3.5 |
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1)</script>" reproduces the attac
|
15-05-2020 - 05:15 | 05-05-2020 - 22:15 | |
| CVE-2020-11034 | 5.8 |
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
|
15-05-2020 - 05:15 | 05-05-2020 - 22:15 |