GLPI 10.0.10

francois-teclib · 2023-09-25 14:18:51

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You will find below the list of security issues fixed in this bugfixes version:

[SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
[SECURITY - High] Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
[SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326).
[SECURITY - High] Account takeover through API (CVE-2023-41324).
[SECURITY - High] File deletion through document upload process (CVE-2023-42462).
[SECURITY - Moderate] Sensitive fields enumeration through API (CVE-2023-41321).
[SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-41322).
[SECURITY - Moderate] Users login enumeration by unauthenticated user (CVE-2023-41323).
[SECURITY - Moderate] Phishing through a login page malicious URL (CVE-2023-41888).
[SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461).

Following the last releases of 10.0.8, a few annoying issues has been detected:

[FEATURE] PHP 8.3 and MySQL 8.1 support.
[FEATURE] Enable usage of images in rich text of followups/tasks/solution templates.
[PERFORMANCES] Improve ticket timeline rendering performances.
[FIX] Fix issues with usage of LDAP bind options.
[FIX] Fix some issues on SLA/OLA escalation levels computation.
[FIX] Fix some issues on search on numeric and dates fields.
Several minor fixes

We would like to thank all people who contributed to this new version and all those who contribute regularly to the GLPI project!

Forum GLPI-Project