6 April 2023
GLPI version 10.0.7 is now available (security release).
Upgrading to GLPI 10.0.7
GLPI 10.0.7 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply GLPI updates as new versions are released, or use Installatron's Clone feature to duplicate an existing GLPI install to test the 10.0.7 upgrade prior to applying it live. Get started managing your GLPI installations with Installatron
What's New in GLPI 10.0.7
This release fixes several security issues that have been recently discovered. Update is recommended!
- SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
- Account takeover by authenticated user (CVE-2023-28632).
- SQL injection through dynamic reports (CVE-2023-28838).
- Stored XSS through dashboard administration (CVE-2023-28852).
- Stored XSS on external links (CVE-2023-28636).
- Reflected XSS in search pages (CVE-2023-28639).
- Privilege Escalation from technician to super-admin (CVE-2023-28634).
- Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).
Bug Fixes and Changes
- Optional GLPI router to be able to use a safer web server root directory.
- Support of SMTP OAuth authentication.
- Improved inventory file upload feature.
- Many fixes and improvements on native inventory.
- Some bugs on PHP 8.2.
- Caching issues on entities.
- Boolean FullText operator not working on knowledge base search.
- Unexpected search results when using negative condition on ticket actors.
- Issues with LDAP filters/DN.
- Unexpected results when searching on knowledge base categories.