SB2026040798 - Multiple vulnerabilities in GLPI

Description

This security bulletin contains information about 9 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2025-53112)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to remove specific resources.

The vulnerability exists due to improper access control in permission checks when handling requests to remove resources. A remote user can send a crafted request to remove specific resources.

2) Improper access control (CVE-ID: CVE-2025-53111)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in resource permission checks when handling requests for protected resources. A remote user can access resources without proper authorization to disclose sensitive information.

3) Improper access control (CVE-ID: CVE-2025-53113)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the external links feature when fetching information on items through external links. A remote privileged user can use the external links feature to access information on items they are not allowed to see to disclose sensitive information.

4) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-53357)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify another user's reservations.

The vulnerability exists due to authorization bypass through user-controlled key in the reservations feature when handling reservation modification requests. A remote user can alter identifiers in a crafted request to modify another user's reservations.

5) Improper access control (CVE-ID: CVE-2025-53008)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in mail receiver credentials handling when processing a malicious payload. A remote user can use a malicious payload to disclose sensitive information.

6) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-52897)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in a web page in the planning feature when handling a malicious link. A remote attacker can send a specially crafted link to execute arbitrary script in the victim's browser.

User interaction is required to open the crafted link.

7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-52567)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in RSS feeds and external calendar handling in planning when processing user-supplied feed or calendar URLs. A remote user can supply a crafted URL to disclose sensitive information.

The issue is blind in nature and affects usage of RSS feeds or external calendar in planning.

8) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-27514)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of script-related html tags in a web page in the projects kanban when rendering stored content. A remote privileged user can inject a malicious payload to disclose sensitive information.

User interaction is required to trigger the stored payload.

9) Improper access control (CVE-ID: CVE-2025-53105)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify the rules execution order.

The vulnerability exists due to improper access control in the rules management functionality when handling requests to update rule ordering. A remote user can send a crafted request to modify the rules execution order.

Remediation

Install update from vendor's website.

References

• https://github.com/glpi-project/glpi/security/advisories/GHSA-rp7w-6343-3m2r
• https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j
• https://github.com/advisories/GHSA-p665-mqcr-j96j
• https://github.com/glpi-project/glpi/security/advisories/GHSA-r2mm-6499-4m8j
• https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8
• https://github.com/advisories/GHSA-x9mj-822q-6cf8
• https://github.com/glpi-project/glpi/security/advisories/GHSA-52h8-76ph-4j9q
• https://github.com/glpi-project/glpi/security/advisories/GHSA-6whm-q2rp-prqm
• https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7
• https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj
• https://github.com/glpi-project/glpi/security/advisories/GHSA-334r-2682-95wc