CVE-2025-21626

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21626
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21626.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-21626
Aliases
  • GHSA-5vvr-pxwf-3w77
Related
Published
2025-02-25T16:15:37Z
Modified
2025-03-05T03:57:41.314880Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the status.php endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the status.php file, restrict its access, or remove any sensitive values from the name field of the active LDAP directories, mail servers authentication providers and mail receivers.

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type
GIT
Repo
https://github.com/glpi-project/glpi
Events
Introduced
b64f35c04d55c517c424c8feaf5bbfa9bae4e3ff
Fixed
9389461d8a207bdcdf4f50f9db9fc8acdf6c7bbf