====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN130
_____________________________________________________________________

DATE                : 04/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 9.5.4.

=====================================================================
https://glpi-project.org/glpi-9-5-4/
_____________________________________________________________________

GLPI 9.5.4

    Teclib’ is happy to announce the release of GLPI 9.5.4.

    This release fixes several medium security issues that has been
recently discovered. Update is recommended!


You can download the GLPI 9.5.4 archive on GitHub.

Here is the list of security cases detected and fixed in this version:

    [security] Horizontal Privilege Escalation (CVE-2021-21326 by
                @indevi0us)
    [security] Entities switch IDOR (CVE-2021-21255 by @indevi0us)
    [security] XSS injection in ajax/kanban (CVE-2021-21258 by
                @lbpierre)
    [security] XSS injection on ticket update (CVE-2021-21314 by
                @ArianeBlow)
    [security] Stored XSS on documents (CVE-2021-21312 by @RedShellSec)
    [security] XSS on tabs (CVE-2021-21313 by @RedShellSec)
    [security] Stored XSS in budget type (CVE-2021-21325 by @lbpierre)
    [security] Remote objects instantiation (CVE-2021-21327 by
                @vadymsoroka)
    [security] Insecure Direct Object Reference (IDOR) on “Solutions”
                (CVE-2021-21324 by @indevi0us)

Note that some are present since a long time (version 0.68), but this
time none of these issues were considered as high/critical.


We also fixed a lot of bugs, here are the important ones:

    We continue the work on stabilising the usage of laminas/mail library:
        Handle RFC5987 format in Content-Disposition header
        Fix email attachement decoding logic
        Fix tickets ID fetching from email headers
    For the dashboards:
        Fix graph counts
        Add search filter criteria for widget by year
        New filter ‘my groups’
    Misc:
        Populate meta criteria in a generic way
        Make custom css from entity inheritables


The full changelog is available for more details.

We would like to thank all people who contributed to this new version
and all those who contributes regularly to the GLPI project!


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================