GLPI 10.0.7

francois-teclib · 2023-04-05 15:57:21

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You will find below the list of security issues fixed in this bugfixes version:

[SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
[SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
[SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
[SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
[SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
[SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
[SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
[SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

[SECURITY] Optional GLPI router to be able to use a safer web server root directory.
[FEATURE] Support of SMTP OAuth authentication.
[FEATURE] Improved inventory file upload feature.
[FIX] Many fixes and improvements on native inventory.
[FIX] Some bugs on PHP 8.2.
[FIX] Caching issues on entities.
[FIX] Boolean FullText operator not working on knowledge base search.
[FIX] Unexpected search results when using negative condition on ticket actors.
[FIX] Issues with LDAP filters/DN.
[FIX] Unexpected results when searching on knowledge base categories.

We would like to thank all people who contributed to this new version and all those who contribute regularly to the GLPI project!

Forum GLPI-Project