====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN553
_____________________________________________________________________

DATE                : 07/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 9.5.2.

=====================================================================
https://glpi-project.org/glpi-9-5-2/
_____________________________________________________________________

GLPI 9.5.2

After several weeks, Teclib’ is happy to announce the release of GLPI
9.5.2.

    This release fixes several security issues that has been recently
discovered. Update is strongly recommended!

    You can download the GLPI 9.5.2 archive on GitHub.

Here is the list of security flaws detected and fixed in this version:

    [security] SQL injection with a query parameter of user form
               (CVE-2020-15176)

    [security] Removal of
                 .htaccess
               file in the
                  files
               folder via a plugin endpoint (CVE-2020-15175)
    [security] Leakage issue with knowledge base (CVE-2020-15217)
    [security] Stored XSS in install script (CVE-2020-15177)
    [security] Minor SQL Injection in
                  Search
               API (CVE-2020-15226)

Note, some are present since a long time (0.68).

We also fixed a lot of issues, here are important ones:

    mailgates issues:
        encoding errors
        missing images in some tickets
        exceptions for some particular messages
    a small notice (
                     listTables
      ) was visible while updating to 9.5.1.
    in some rare cases, the encryption process of passwords could fail
    For the dashboards:
        fix user preferences
        fix overlap of mini dashboard above tickets list

And we worked on improving the dashboards:

    new summary widget
    new articles widget
    display labels on point and bar (with a new available option)
    cards have now a minimum size
    we added personnal filters. Toggle edit mode, and add filters on top
of dashboards.


The full changelog is available for more details.


We would like to thank all people who contributed to this new version
and all those who contributes regularly to the GLPI project!


Regards.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41         +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================