10.0.6

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.6 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
• [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
• [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
• [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
• [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
• [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

• [FEATURE] Unmanaged devices can be handled like a real asset.
• [FEATURE] Handle more actions for stale inventory agents.
• [FEATURE] Added new dictionnary rules for OS.
• [CHANGED] Removed glpi: prefix on console commands.
• [FIX] PHP 8.2 support.
• [FIX] Many fixes and improvements on native inventory.
• [FIX] Reservation display on self-service profile.
• [FIX] Mail collector issues with emails sent from Outlook.
• [FIX] Dashboard issues on "All" tab.
• [FIX] Ticket input is restored when submitted form is not complete.
• [FIX] Notification was not sent when ticket status was set to "pending".

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.12

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 9.5.12 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
• [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
• [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
• [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

10.0.5

Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.

So, we release new versions to address the bug, you can download them on github:

• GLPI 10.0.5 archive
• GLPI 9.5.11 archive

9.5.11

Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.

So, we release new versions to address the bug, you can download them on github:

• GLPI 10.0.5 archive
• GLPI 9.5.11 archive

10.0.4

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch: GLPI 9.5.10 archive.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
• [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
• [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
• [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
• [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
• [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
• [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
• [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
• [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
• [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
• [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

• [FIX] Increase significantly dashboards performance
• [FIX] Several bugs on images pasting
• [FIX] Fixed and improved inventory locks management
• [FIX] Display of printer cartridges
• [FIX] Display and hide actors tooltips in tickets
• [FIX] Improve display of headers above forms
• [FIX] Move breakpoints on responsive displays
• [SECURITY] Inventory API is now disabled by default
• [FEATURE] Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.10

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
• [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
• [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
• [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
• [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
• [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
• [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
• [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
• [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)

Regards.

10.0.3

This is a security release, upgrading is recommended

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.3 archive on GitHub.
Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY] XSS through registration API (CVE-2022-35945)
• [SECURITY] Leak of sensitive information through login page error (CVE-2022-31143)
• [SECURITY] Stored XSS through global search (CVE-2022-31187)
• [SECURITY] [critical] Command injection using a third-party library script (CVE-2022-35914)
• [SECURITY] SQL injection through plugin controller (CVE-2022-35946)
• [SECURITY] [critical] Authentication via SQL injection (CVE-2022-35947)
• [SECURITY] Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Also, here is a short list of main changes done in this version:

• [FEATURE] More precise rights checks on inventory (#12610)
• [FEATURE] Display of last inventoried value for locked fields (#12602)
• [FEATURE] Permit to use rules to add computers as virtual machines (#12572)
• [SECURITY] Delegate session cookies security to sysadmin (#12302)
• [FIX] Prevent collector failure on invalid mail header (#12232)
• [FIX] Many fixes on network inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.9

This is a security release, upgrading is recommended

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY] XSS through registration API (CVE-2022-35945)
• [SECURITY] Leak of sensitive information through login page error (CVE-2022-31143)
• [SECURITY] [critical] Command injection using a third-party library script (CVE-2022-35914)
• [SECURITY] SQL injection through plugin controller (CVE-2022-35946)
• [SECURITY] [critical] Authentication via SQL injection (CVE-2022-35947)
• [SECURITY] Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Regards.

10.0.2

This is a security release, upgrading is recommended

A lot of issues have been fixed since GLPI 10.0.1 version.
Below, you'll find a short list of key points of this release:

• [SECURITY] Unauthenticated SQL injection on login page (CVE-2022-31061)
• [SECURITY] SQL injection on actor part in assistance forms (CVE-2022-31056)
• [SECURITY] Unauthenticated Sensitive Data Exposure on Refused Inventory Files (CVE-2022-31068)
• FIX adding actors to ITIL Objects (#11796, #11957)
• FIX unwanted "promote to ticket" feature on self-service interface (#11834)
• FIX native inventory do not inject switch information (#11864)
• FIX entity for software creation (#11887, #11837)
• FEAT permits global lock on entity (#11853)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contribute regularly to the GLPI project!

9.5.8

This is a security release, upgrading is recommended

Non exhaustive list of changes:

• [SECURITY] SQL injection on login page [CVE-2022-31061]
• [SECURITY] XSS / open redirect via SVG file upload [CVE-2022-24868]
• [SECURITY] Cross Site CSS Injection [CVE-2022-24869]
• and more!

See changelog for details.