GLPI 10.0.10
3 October 2023
GLPI version 10.0.10 is now available (security release).
Upgrading to GLPI 10.0.10
GLPI 10.0.10 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply GLPI updates as new versions are released, or use Installatron's Clone feature to duplicate an existing GLPI install to test the 10.0.10 upgrade prior to applying it live. Get started managing your GLPI installations with Installatron
What's New in GLPI 10.0.10
Security
- Unallowed PHP script execution (CVE-2023-42802).
- Account takeover via SQL Injection in UI layout preferences (CVE-2023-41320).
- Account takeover via Kanban feature (CVE-2023-41326).
- Account takeover through API (CVE-2023-41324).
- File deletion through document upload process (CVE-2023-42462).
- Sensitive fields enumeration through API (CVE-2023-41321).
- Privilege Escalation from technician to super-admin (CVE-2023-41322).
- Users login enumeration by unauthenticated user (CVE-2023-41323).
- Phishing through a login page malicious URL (CVE-2023-41888).
- SQL injection in ITIL actors (CVE-2023-42461).
Bug Fixes and Changes
- PHP 8.3 and MySQL 8.1 support.
- Enable usage of images in rich text of followups/tasks/solution templates.
- Improve ticket timeline rendering performances.
- Fix issues with usage of LDAP bind options.
- Fix some issues on SLA/OLA escalation levels computation.
- Fix some issues on search on numeric and dates fields.