CVE-2025-64516

Sažetak

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

Reference

https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c
https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27
https://github.com/glpi-project/glpi/releases/tag/10.0.21
https://github.com/glpi-project/glpi/releases/tag/11.0.3
https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

16-01-2026 - 15:55

Objavljeno

15-01-2026 - 16:16