10.0.17

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.17 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - critical] Unauthenticated session hijacking (CVE-2024-50339)
• [SECURITY - high] Account takeover through SQL injection (CVE-2024-40638)
• [SECURITY - high] Users email enumeration by unauthenticated user (CVE-2024-43416)
• [SECURITY - high] Account takeover without privilege escalation through the API (CVE-2024-47758)
• [SECURITY - high] Account takeover via the password reset feature (CVE-2024-47761)
• [SECURITY - high] Account takeover via API (CVE-2024-47760)
• [SECURITY - high] Insecure account deletion by authenticated user (CVE-2024-48912)
• [SECURITY - moderate] Authenticated SQL Injection (CVE-2024-45608)
• [SECURITY - moderate] Authenticated SQL injection in ticket form (CVE-2024-41679)
• [SECURITY - moderate] Stored XSS in RSS feeds (CVE-2024-45611)
• [SECURITY - moderate] Stored XSS via document upload (CVE-2024-47759)
• [SECURITY - moderate] Multiple reflected XSS (CVE-2024-43417, CVE-2024-43418, CVE-2024-45609, CVE-2024-45610, CVE-2024-41678)

Many bug fixes have also been made, read the full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

11.0.0-alpha

First alpha for GLPI 11

10.0.16

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.16 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
• [SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)
• [SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)

Also, here is a short list of main changes done in this version:

• [FIX] Freesize database field was not correctly migrated
• [FIX] Network inventoried stacked switches had all the same name
• [FIX] Remove monitors from inventory when no monitor is present
• [FIX] Import location hierarchy from LDAP and Inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.15

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.15 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
• [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)

Also, here is a short list of main changes done in this version:

• [FIX] Fix used right by reservation form.
• [FIX] Do not rely on input to apply rules rights.
• [FIX] Always store updated SMTP Oauth refresh token.
• [TASK] Upgrade tinymce.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.14

Due to a few regressions in the last (10.0.13), an early release is available.

Here is the list of corrections made in this version:

• [FIX] Fix assign field when suppliers assign is available
• [FIX] Switching entities issues

You can download the GLPI 10.0.14 archive on GitHub.

Regards.

10.0.13

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.13 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
• [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
• [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
• [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
• [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
• [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)

Also, here is a short list of main changes done in this version:

• [FIX] Error when creating a Ticket with SLA/OLA.
• [FIX] Weekly recurrent reservations creation does not work.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.12

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.12 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - moderate] Reflected XSS in reports pages (CVE-2024-23645)
• [SECURITY - moderate] LDAP Injection during authentication (CVE-2023-51446)

Also, here is a short list of main changes done in this version:

• [FIX] Regression with entity selector missing cache invalidation
• [FIX] Better handling of connection issues during LDAP synchronization
• [PERF] The entity selector get significant reduction of load time in some cases

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.11

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You can download the GLPI 10.0.11 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

• [SECURITY - moderate] Authenticated SQL Injection (CVE-2023-43813)
• [SECURITY - high] SQL injection through inventory agent request (CVE-2023-46727)
• [SECURITY - high] Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)

On this last point, we wanted to recall the 7.4 version of PHP is very outdated and not supported anymore by the developers!
You should upgrade on a recent version, at least 8.2 (8.0 will be outdated at the end of the year and 8.1 will be only with security fixes).

Also, here is a short list of main changes done in this version:

• [UX] Enhance pending reasons display
• [FIX] various LDAP fixes (timeout, location import, deletion/restoration scenarios)
• [FIX] several inventory fixes (unmanaged assets reconciliation, rules for phones, rules logs for discovery, Cisco stacks, removal of remote management)
• [FIX] several performance enhancements (defer entity tree loading, strong enhancement on actors loading, all assets query execution time, web cron removal, dual ajax call for tab loading)
• [TASK] highlights of security requirements on install/update page. Some options like PHP versions, web folder setup are suggested with a strong visual.

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.10

This is a security release, upgrading is recommended

This release fixes a security issue that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.10 archive on GitHub.

You will find below security issues fixed in this bugfixes version:

• [SECURITY - Critical] Unallowed PHP script execution (CVE-2023-42802).
• [SECURITY - High] Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
• [SECURITY - High] Account takeover via Kanban feature (CVE-2023-41326).
• [SECURITY - High] Account takeover through API (CVE-2023-41324).
• [SECURITY - High] File deletion through document upload process (CVE-2023-42462).
• [SECURITY - Moderate] Sensitive fields enumeration through API (CVE-2023-41321).
• [SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-41322).
• [SECURITY - Moderate] Users login enumeration by unauthenticated user (CVE-2023-41323).
• [SECURITY - Moderate] Phishing through a login page malicious URL (CVE-2023-41888).
• [SECURITY - Moderate] SQL injection in ITIL actors (CVE-2023-42461).

Also, here is a short list of main changes done in this version:

• [FEATURE] PHP 8.3 and MySQL 8.1 support.
• [FEATURE] Enable usage of images in rich text of followups/tasks/solution templates.
• [PERFORMANCES] Improve ticket timeline rendering performances.
• [FIX] Fix issues with usage of LDAP bind options.
• [FIX] Fix some issues on SLA/OLA escalation levels computation.
• [FIX] Fix some issues on search on numeric and dates fields.
• Several minor fixes

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

10.0.9

This is a security release, upgrading is recommended

This release fixes a security issue that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.9 archive on GitHub.

You will find below the security issu fixed in this bugfixes version:

• [SECURITY - Moderate] SQL injection in dashboard administration (CVE-2023-37278).

Following the last releases of 10.0.8, a few annoying issues has been detected:

• Update script uses a SQL function incompatible with MySQL 5.7 (#15141)
• Private follow-ups and tasks are invisible to users with appropriate rights (#15128)
• Several minor fixes

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.