Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN867
_____________________________________________________________________

DATE                : 17/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running glpi versions prior to 10.0.21.

=====================================================================
https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q
https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx
_____________________________________________________________________

Unauthorized access to Knowledge Base items through the API
Moderate
cedric-anne published GHSA-62p9-prpq-j62q Dec 16, 2025

Package
glpi (glpi)

Affected versions
>= 9.1.0

Patched versions
10.0.21


Description

Impact

An unauthorized user with an API access can read all knowbase entries.


Patches

Upgrade to 10.0.21.

For more information

If you have any questions or comments about this advisory, mail us at
glpi-security@ow2.org.


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2025-64520

Weaknesses
Weakness CWE-862

Credits

    @rootjog rootjog Reporter


_____________________________________________________________________

Unauthenticated Stored XSS through the inventory endpoint
Moderate
cedric-anne published GHSA-j8vv-9f8m-r7jx Dec 16, 2025

Package
glpi (glpi)

Affected versions
>= 10.0.0, < 11.0.0

Patched versions
10.0.21


Description

Impact

An unauthenticated user can store an XSS payload through the inventory
endpoint.


Patches

Upgrade to 10.0.21.


For more information

If you have any questions or comments about this advisory, mail us at
glpi-security@ow2.org.

Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE ID
CVE-2025-59935

Weaknesses
Weakness CWE-79

Credits

    @luhko luhko Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================