10.0.9

This is a security release, upgrading is recommended

This release fixes a security issue that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.9 archive on GitHub.

You will find below the security issu fixed in this bugfixes version:

• [SECURITY - Moderate] SQL injection in dashboard administration (CVE-2023-37278).

Following the last releases of 10.0.8, a few annoying issues has been detected:

• Update script uses a SQL function incompatible with MySQL 5.7 (#15141)
• Private follow-ups and tasks are invisible to users with appropriate rights (#15128)
• Several minor fixes

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.8

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.8 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] SQL injection via inventory agent request (CVE-2023-35924).
• [SECURITY - High] SQL injection through Computer Virtual Machine information (CVE-2023-36808).
• [SECURITY - High] Unauthorized access to Dashboard data (CVE-2023-35939).
• [SECURITY - High] Unauthenticated access to Dashboard data (CVE-2023-35940).
• [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-34244).
• [SECURITY - Moderate] Unauthorized access to knowledge base items (CVE-2023-34107).
• [SECURITY - Moderate] Unauthorized access to user data (CVE-2023-34106).

Also, here is a short list of main changes done in this version:

• [FEATURE] Improve mail grouping (#14296)
• [FEATURE] Add deleted status in item's header (#14382)
• [FEATURE] Add option to control the display of dropdowns labels (#14472)
• [FEATURE] Permits to check DB schema from GLPI versions >= 0.80 (#14666)
• [FIX] Improve performance of plugins init (#14511)
• [FIX] Improve performance of kanban views (#14525, #14599, #14764)
• [FIX] Ldap issues with PHP versions >= 8.1 (#14561)
• [FIX] SLA waiting time duration (#14937)
• [FIX] Notification encoding for MS Outlook (#14959)
• A lot of fixes in native inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.7

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
• [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
• [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
• [SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
• [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
• [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
• [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
• [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

• [SECURITY] Optional GLPI router to be able to use a safer web server root directory.
• [FEATURE] Support of SMTP OAuth authentication.
• [FEATURE] Improved inventory file upload feature.
• [FIX] Many fixes and improvements on native inventory.
• [FIX] Some bugs on PHP 8.2.
• [FIX] Caching issues on entities.
• [FIX] Boolean FullText operator not working on knowledge base search.
• [FIX] Unexpected search results when using negative condition on ticket actors.
• [FIX] Issues with LDAP filters/DN.
• [FIX] Unexpected results when searching on knowledge base categories.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.13

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 9.5.13 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
• [SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
• [SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
• [SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
• [SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
• [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
• [SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Regards.

10.0.6

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.6 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
• [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
• [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
• [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
• [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
• [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

Also, here is a short list of main changes done in this version:

• [FEATURE] Unmanaged devices can be handled like a real asset.
• [FEATURE] Handle more actions for stale inventory agents.
• [FEATURE] Added new dictionnary rules for OS.
• [CHANGED] Removed glpi: prefix on console commands.
• [FIX] PHP 8.2 support.
• [FIX] Many fixes and improvements on native inventory.
• [FIX] Reservation display on self-service profile.
• [FIX] Mail collector issues with emails sent from Outlook.
• [FIX] Dashboard issues on "All" tab.
• [FIX] Ticket input is restored when submitted form is not complete.
• [FIX] Notification was not sent when ticket status was set to "pending".

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.12

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the GLPI 9.5.12 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
• [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
• [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
• [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)

10.0.5

Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.

So, we release new versions to address the bug, you can download them on github:

• GLPI 10.0.5 archive
• GLPI 9.5.11 archive

9.5.11

Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.

So, we release new versions to address the bug, you can download them on github:

• GLPI 10.0.5 archive
• GLPI 9.5.11 archive

10.0.4

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch: GLPI 9.5.10 archive.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
• [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
• [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
• [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
• [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
• [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
• [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
• [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
• [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
• [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
• [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)

Also, here is a short list of main changes done in this version:

• [FIX] Increase significantly dashboards performance
• [FIX] Several bugs on images pasting
• [FIX] Fixed and improved inventory locks management
• [FIX] Display of printer cartridges
• [FIX] Display and hide actors tooltips in tickets
• [FIX] Improve display of headers above forms
• [FIX] Move breakpoints on responsive displays
• [SECURITY] Inventory API is now disabled by default
• [FEATURE] Dedicated rights has been added for inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

9.5.10

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
• [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
• [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
• [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
• [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
• [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
• [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
• [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
• [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)

Regards.