Release 10.0.7 · glpi-project/glpi

This is a security release, upgrading is recommended

This release fixes several security issues that has been recently discovered. Update is recommended!

You can download the GLPI 10.0.7 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

[SECURITY - High] SQL injection and Stored XSS via inventory agent request (CVE-2023-28849).
[SECURITY - High] Account takeover by authenticated user (CVE-2023-28632).
[SECURITY - High] SQL injection through dynamic reports (CVE-2023-28838).
[SECURITY - Moderate] Stored XSS through dashboard administration (CVE-2023-28852).
[SECURITY - Moderate] Stored XSS on external links (CVE-2023-28636).
[SECURITY - Moderate] Reflected XSS in search pages (CVE-2023-28639).
[SECURITY - Moderate] Privilege Escalation from technician to super-admin (CVE-2023-28634).
[SECURITY - Low] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Also, here is a short list of main changes done in this version:

[SECURITY] Optional GLPI router to be able to use a safer web server root directory.
[FEATURE] Support of SMTP OAuth authentication.
[FEATURE] Improved inventory file upload feature.
[FIX] Many fixes and improvements on native inventory.
[FIX] Some bugs on PHP 8.2.
[FIX] Caching issues on entities.
[FIX] Boolean FullText operator not working on knowledge base search.
[FIX] Unexpected search results when using negative condition on ticket actors.
[FIX] Issues with LDAP filters/DN.
[FIX] Unexpected results when searching on knowledge base categories.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.