This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.17 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - critical] Unauthenticated session hijacking (CVE-2024-50339)
- [SECURITY - high] Account takeover through SQL injection (CVE-2024-40638)
- [SECURITY - high] Users email enumeration by unauthenticated user (CVE-2024-43416)
- [SECURITY - high] Account takeover without privilege escalation through the API (CVE-2024-47758)
- [SECURITY - high] Account takeover via the password reset feature (CVE-2024-47761)
- [SECURITY - high] Account takeover via API (CVE-2024-47760)
- [SECURITY - high] Insecure account deletion by authenticated user (CVE-2024-48912)
- [SECURITY - moderate] Authenticated SQL Injection (CVE-2024-45608)
- [SECURITY - moderate] Authenticated SQL injection in ticket form (CVE-2024-41679)
- [SECURITY - moderate] Stored XSS in RSS feeds (CVE-2024-45611)
- [SECURITY - moderate] Stored XSS via document upload (CVE-2024-47759)
- [SECURITY - moderate] Multiple reflected XSS (CVE-2024-43417, CVE-2024-43418, CVE-2024-45609, CVE-2024-45610, CVE-2024-41678)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.