=================================================================== CERT-Renater Note d'Information No. 2022/VULN331 _____________________________________________________________________ DATE : 20/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GLPI versions prior to 10.0.3. ====================================================================https://glpi-project.org/new-glpi-version-10-0-3/ _____________________________________________________________________ New GLPI version 10.0.3 Sep 14, 2022 | News A new GLPI version is available. This release fixes several critical security issues that has been recently discovered. Update is strongly recommended! You can download the GLPI 10.0.3 archive on GitHub. Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive. You’ll find below the list of security issues fixed in this bugfixes version: XSS through registration API (CVE-2022-35945) Leak of sensitive information through login page error (CVE-2022-31143) Stored XSS through global search (CVE-2022-31187) Command injection using a third-party library script (CVE-2022-35914) SQL injection through plugin controller (CVE-2022-35946) Authentication via SQL injection (CVE-2022-35947) Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112) Also, here is a short list of main changes done in this version: More precise rights checks on inventory (#12610) Display of last inventoried value for locked fields (#12602) Permit to use rules to add computers as virtual machines (#12572) Delegate session cookies security to sysadmin (#12302) Prevent collector failure on invalid mail header (#12232) Many fixes on network inventory The full changelog is available for more details. We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project! Regards. ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================