Une nouvelle version de GLPI est disponible.
This release fixes several security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.6 archive on GitHub.
We still maintain maintain the 9.5 branch for security fixes and we also release a new version for it: GLPI 9.5.12 archive
Vous trouverez ci-dessous la liste des problèmes de sécurité corrigés dans cette version corrective :
- [SECURITY - High] Unauthorized access to inventory files (CVE-2023-22500)
- [SECURITY - Moderate] XSS on browse views (CVE-2023-22722)
- [SECURITY - Moderate] XSS on external links (CVE-2023-22725)
- [SECURITY - Moderate] XSS in RSS Description Link (CVE-2023-22724)
- [SECURITY - Moderate] Unauthorized access to data export (CVE-2023-23610)
- [SECURITY - Low] Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)
Also, here is a short list of main changes done in this version:
- [FEATURE] Unmanaged devices can be handled like a real asset.
- [FEATURE] Handle more actions for stale inventory agents.
- [FEATURE] Added new dictionnary rules for OS.
- [CHANGED] Removed
glpi: prefix on console commands. - [FIX] PHP 8.2 support.
- [FIX] Many fixes and improvements on native inventory.
- [FIX] Reservation display on self-service profile.
- [FIX] Mail collector issues with emails sent from Outlook.
- [FIX] Dashboard issues on “All” tab.
- [FIX] Ticket input is restored when submitted form is not complete.
- [FIX] Notification was not sent when ticket status was set to “pending”.
Le journal des modifications complet est disponible pour plus de détails.
Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !
Cordialement.
Following the last releases of 10.0.4 and 9.5.10, an annoying issue has been detected in one of the security fixes provided.
The user is logged out when he tries to switch to another entity.
So, we release new versions to address the bug, you can download them on github:
Une nouvelle version de GLPI est disponible.
This release fixes several security issues that has been recently discovered. Update is recommended!
You can download the GLPI 10.0.4 archive on GitHub.
We also provide a security release for 9.5 branch : GLPI 9.5.10 archive
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Low] Blind SSRF in RSS feeds and planning (CVE-2022-39276)
- [SECURITY - Low] Stored XSS in user information (CVE-2022-39372)
- [SECURITY - Low] Stored XSS in entity name (CVE-2022-39373)
- [SECURITY - Low] Improper input validation on emails links (CVE-2022-39376)
- [SECURITY - Moderate] Improper access to debug panel (CVE-2022-39370)
- [SECURITY - Moderate] User's session persist after permanently deleting his account (CVE-2022-39234)
- [SECURITY - Moderate] Stored XSS on login page (CVE-2022-39262)
- [SECURITY - Moderate] XSS in external links (CVE-2022-39277)
- [SECURITY - Moderate] XSS through public RSS feed (CVE-2022-39375)
- [SECURITY - High] SQL Injection on REST API (CVE-2022-39323)
- [SECURITY - High] Stored XSS through asset inventory (CVE-2022-39371)
Also, here is a short list of main changes done in this version:
- [FIX] Increase significantly dashboards performance
- [FIX] Several bugs on images pasting
- [FIX] Fixed and improved inventory locks management
- [FIX] Display of printer cartridges
- [FIX] Display and hide actors tooltips in tickets
- [FIX] Improve display of headers above forms
- [FIX] Move breakpoints on responsive displays
- [SECURITY] Inventory API is now disabled by default
- [FEATURE] Dedicated rights has been added for inventory
The full changelog is available for more details.
Nous tenons à remercier toutes les personnes qui ont contribué à cette nouvelle version et tous ceux qui contribuent régulièrement au projet GLPI !
Cordialement.
