Advisories ยป MGASA-2015-0017

Updated glpi package fixes security vulnerabilities

Publication date: 09 Jan 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-5032 , CVE-2014-8360 , CVE-2014-9258


Updated glpi package fixes security vulnerabilities:

Due to a bug in GLPI before 0.84.7, a user without access to cost information
can in fact see the information when selecting cost as a search criteria

An issue in GLPI before 0.84.8 may allow arbitrary local files to be included
by PHP through an autoload function (CVE-2014-8360).

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1
allows remote authenticated users to execute arbitrary SQL commands via the
condition parameter (CVE-2014-9258).