Skip to content

10.0.13
Compare
Choose a tag to compare
@trasher trasher released this 13 Mar 08:30
· 68 commits to 10.0/bugfixes since this release
10.0.13
ba1f4be

This is a security release, upgrading is recommended

Download it

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.13 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
  • [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
  • [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
  • [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
  • [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
  • [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)

Also, here is a short list of main changes done in this version:

  • [FIX] Error when creating a Ticket with SLA/OLA.
  • [FIX] Weekly recurrent reservations creation does not work.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

Assets 3