GLPIGLPI is an open source resource management application.
Installatron Remote is a one-click solution to install and manage all of your GLPI websites. Using Installatron helps ensure GLPI is kept up-to-date and secure, and Installatron features like Clone, Backup and Restore, and Backup Scheduling can save you time. Learn more about Installatron Remote |
Your open source tool to manage Helpdesk and IT assets! Features: - CMDB: Manage hardware, software and data centers. Link Asset inventory to Helpdesk and get 360° control of your IT and business infrastructure.
- Helpdesk: Organize your support easily with GLPI: manage incidents/requests, create forms, define SLAs, deliver the best experience to your customers.
- Financial Management: Discover the full potential of GLPI: track your expenses, contracts and suppliers, create new inventory objects, manage user database and make reports.
- Project Management: Manage projects with GLPI: assign tasks, add collaborators, set up deadlines. Create reports and explore Kanban boards to orginize your team!
- Administration: Take control over users: define entities, create profiles and restrict access to information. With GLPI rules you can define roles of each member of directory and setup workflow for Helpdesk and Inventory.
- Configuration: Customize GLPI: explore setup features to add logo of your brans, select the palette of colors and configure plugins. In this section you can also manage SLAs and notifications.
-مُطور GLPI 10.0.18 (security release) 28 مارس - 295MBSecurity
- Unauthenticated SQL injection through the inventory endpoint (CVE-2025-24799)
- Authenticated Remote code execution (CVE-2025-24801)
- SQL injection through the rules configuration (CVE-2025-21619)
- Open Redirection (CVE-2024-11955)
- Reflected XSS in search page (CVE-2025-21627)
- Exposure of sensitive information in the `status.php` endpoint (CVE-2025-21626)
- Plugins disabled by unauthenticated user (CVE-2025-23024)
- Unauthorized authentication by email using the OAuthIMAP plugin (CVE-2025-23046)
- Unauthorized access to debug mode (CVE-2025-25192)
Read more: https://glpi-project.org/glpi-10-0-18-is-available/10.0.17 (security release) 11 نوفمبر 2024 - 295MBSecurity
- Unauthenticated session hijacking (CVE-2024-50339)
- Account takeover through SQL injection (CVE-2024-40638)
- Users email enumeration by unauthenticated user (CVE-2024-43416)
- Account takeover without privilege escalation through the API (CVE-2024-47758)
- Account takeover via the password reset feature (CVE-2024-47761)
- Account takeover via API (CVE-2024-47760)
- Insecure account deletion by authenticated user (CVE-2024-48912)
- Authenticated SQL Injection (CVE-2024-45608)
- Authenticated SQL injection in ticket form (CVE-2024-41679)
- Stored XSS in RSS feeds (CVE-2024-45611)
- Stored XSS via document upload (CVE-2024-47759)
- Multiple reflected XSS (CVE-2024-43417, CVE-2024-43418, CVE-2024-45609, CVE-2024-45610, CVE-2024-41678)
Read more: https://glpi-project.org/glpi-release-10-0-17/10.0.16 (security release) 3 يوليو 2024 - 275MBSecurity
- Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
- Remote code execution through the plugin loader (CVE-2024-37149)
- Authenticated file upload to restricted tickets (CVE-2024-37147)
Bug Fixes and Changes
- Freesize database field was not correctly migrated
- Network inventoried stacked switches had all the same name
- Remove monitors from inventory when no monitor is present
- Import location hierarchy from LDAP and Inventory
Read more: https://glpi-project.org/glpi-10-0-16-is-released/10.0.15 (security release) 25 إبريل 2024 - 275MBSecurity
- Authenticated SQL injection from map search (CVE-2024-31456)
- Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)
Bug Fixes and Changes
- Fix used right by reservation form.
- Do not rely on input to apply rules rights.
- Always store updated SMTP Oauth refresh token.
- Upgrade tinymce.
- And many more fixes.
Read more: https://glpi-project.org/glpi-release-10-0-15/10.0.14 (security release) 15 مارس 2024 - 275MB10.0.14
Security
- SQL Injection in through the search engine (CVE-2024-27096)
- Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
- Stored XSS in dashboards (CVE-2024-27104)
- Reflected XSS in debug mode (CVE-2024-27914)
- Sensitive fields access through dropdowns (CVE-2024-27930)
- Users emails enumeration (CVE-2024-27937)
Bug Fixes
- Fix assign field when suppliers assign is available
- Switching entities issues
10.0.13
Bug Fixes
- Error when creating a Ticket with SLA/OLA.
- Weekly recurrent reservations creation does not work.
- And many more fixes.
Read more: https://glpi-project.org/news/10.0.122 فبراير 2024 - 275MBChanges
- Permissions for historical data and system logs (Administration > Logs) are now managed by "Historical (READ)" and "System Logs (READ)" respectively.
Deprecated
- `Entity::cleanEntitySelectorCache()` no longer has any effect as the entity selector is no longer cached as a unique entry
Read more: https://glpi-project.org/news/10.0.11 (security release) 13 ديسمبر 2023 - 275MBSecurity
- Authenticated SQL Injection (CVE-2023-43813)
- SQL injection through inventory agent request (CVE-2023-46727)
- Remote code execution from LDAP server configuration form on PHP 7.4 (CVE-2023-46726)
Bug Fixes and Changes
- Enhance pending reasons display
- various LDAP fixes (timeout, location import, deletion/restoration scenarios)
- several inventory fixes (unmanaged assets reconciliation, rules for phones, rules logs for discovery, Cisco stacks, removal of remote management)
- several performance enhancements (defer entity tree loading, strong enhancement on actors loading, all assets query execution time, web cron removal, dual ajax call for tab loading)
- highlights of security requirements on install/update page. Some options like PHP versions, web folder setup are suggested with a strong visual.
- dozens of bug fixes
Deprecated
- Usage of the `DBmysql::query()` method is deprecated, for security reasons, as it is most of the time used in an insecure way. To execute DB queries, either `DBmysql::request()` can be used to craft query using the GLPI query builder, either `DBmysql::doQuery()` can be used for safe queries to execute DB query using a self-crafted SQL string. This deprecation will not trigger any error, unless the `GLPI_STRICT_DEPRECATED` constant is set to `true`, to avoid cluttering error logs.
Read more: https://glpi-project.org/news/10.0.10 (security release) 3 أكتوبر 2023 - 275MBSecurity
- Unallowed PHP script execution (CVE-2023-42802).
- Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
- Account takeover via Kanban feature (CVE-2023-41326).
- Account takeover through API (CVE-2023-41324).
- File deletion through document upload process (CVE-2023-42462).
- Sensitive fields enumeration through API (CVE-2023-41321).
- Privilege Escalation from technician to super-admin (CVE-2023-41322).
- Users login enumeration by unauthenticated user (CVE-2023-41323).
- Phishing through a login page malicious URL (CVE-2023-41888).
- SQL injection in ITIL actors (CVE-2023-42461).
Bug Fixes and Changes
- PHP 8.3 and MySQL 8.1 support.
- Enable usage of images in rich text of followups/tasks/solution templates.
- Improve ticket timeline rendering performances.
- Fix issues with usage of LDAP bind options.
- Fix some issues on SLA/OLA escalation levels computation.
- Fix some issues on search on numeric and dates fields.
Read more: https://glpi-project.org/news/10.0.9 (security release) 12 يوليو 2023 - 275MBThis release fixes several security issues that have been recently discovered. Update is recommended!
10.0.9
Unspecified changes.
10.0.8
Security
- SQL injection via inventory agent request (CVE-2023-35924).
- SQL injection through Computer Virtual Machine information (CVE-2023-36808).
- Unauthorized access to Dashboard data (CVE-2023-35939).
- Unauthenticated access to Dashboard data (CVE-2023-35940).
- Reflected XSS in search pages (CVE-2023-34244).
- Unauthorized access to knowledge base items (CVE-2023-34107).
- Unauthorized access to user data (CVE-2023-34106).
Bug Fixes and Changes
- Improve mail grouping (#14296)
- Add deleted status in item’s header (#14382)
- Add option to control the display of dropdowns labels (#14472)
- Permits to check DB schema from GLPI versions >= 0.80 (#14666)
- Improve performance of plugins init (#14511)
- Improve performance of kanban views (#14525, #14599, #14764)
- Ldap issues with PHP versions >= 8.1 (#14561)
- SLA waiting time duration (#14937)
- Notification encoding for MS Outlook (#14959)
- A lot of fixes in native inventory
Read more: https://glpi-project.org/news/10.0.7 (security release) 6 إبريل 2023 - 275MBThis release fixes several security issues that have been recently discovered. Update is recommended!
Security
- SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
- Account takeover by authenticated user (CVE-2023-28632).
- SQL injection through dynamic reports (CVE-2023-28838).
- Stored XSS through dashboard administration (CVE-2023-28852).
- Stored XSS on external links (CVE-2023-28636).
- Reflected XSS in search pages (CVE-2023-28639).
- Privilege Escalation from technician to super-admin (CVE-2023-28634).
- Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).
Bug Fixes and Changes
- Optional GLPI router to be able to use a safer web server root directory.
- Support of SMTP OAuth authentication.
- Improved inventory file upload feature.
- Many fixes and improvements on native inventory.
- Some bugs on PHP 8.2.
- Caching issues on entities.
- Boolean FullText operator not working on knowledge base search.
- Unexpected search results when using negative condition on ticket actors.
- Issues with LDAP filters/DN.
- Unexpected results when searching on knowledge base categories.
Read more: https://glpi-project.org/new-version-glpi-10-0-7/10.0.6 (security release) 25 يناير 2023 - 275MBSecurity
- Unauthorized access to inventory files (CVE-2023-22500)
- XSS on browse views (CVE-2023-22722)
- XSS on external links (CVE-2023-22725)
- XSS in RSS Description Link (CVE-2023-22724)
- Unauthorized access to data export (CVE-2023-23610)
- Stored XSS inside Standard Interface Help Link href attribute (CVE-2022-41941)
Bug Fixes and Changes
- Unmanaged devices can be handled like a real asset.
- Handle more actions for stale inventory agents.
- Added new dictionnary rules for OS.
- Removed glpi: prefix on console commands.
- PHP 8.2 support.
- Many fixes and improvements on native inventory.
- Reservation display on self-service profile.
- Mail collector issues with emails sent from Outlook.
- Dashboard issues on “All” tab.
- Ticket input is restored when submitted form is not complete.
- Notification was not sent when ticket status was set to “pending”.
Read more: https://glpi-project.org/new-version-glpi-10-0-6/10.0.5 (security release) 8 نوفمبر 2022 - 275MB10.0.5
Bug Fixes
- The user is logged out when he tries to switch to another entity.
10.0.4
Security
- Blind SSRF in RSS feeds and planning (CVE-2022-39276)
- Stored XSS in user information (CVE-2022-39372)
- Stored XSS in entity name (CVE-2022-39373)
- Improper input validation on emails links (CVE-2022-39376)
- Improper access to debug panel (CVE-2022-39370)
- User’s session persist after permanently deleting his account (CVE-2022-39234)
- Stored XSS on login page (CVE-2022-39262)
- XSS in external links (CVE-2022-39277)
- XSS through public RSS feed (CVE-2022-39375)
- SQL Injection on REST API (CVE-2022-39323)
- Stored XSS through asset inventory (CVE-2022-39371)
Bug Fixes and Changes
- Increase significantly dashboards performance
- Several bugs on images pasting
- Fixed and improved inventory locks management
- Display of printer cartridges
- Display and hide actors tooltips in tickets
- Improve display of headers above forms
- Move breakpoints on responsive displays
- Inventory API is now disabled by default
- Dedicated rights has been added for inventory
Read more: https://glpi-project.org/new-glpi-version-10-0-5-and-glpi-9-5-11-bugfixes/10.0.318 أكتوبر 2022 - 275MBLive Demo provides demonstration instances of GLPI for evaluation purposes. Live Demo instances reset frequently and are configured without plugins or themes. 10.0.18Showcase highlights websites powered by GLPI to demonstrate the range of capabilities provided by the application. |
|
