Plugin Disabling Vulnerability in GLPI Asset Management Software
CVE-2025-23024

6.9MEDIUM

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 25 February 2025

Summary

GLPI, an open-source asset and IT management software, is susceptible to a vulnerability that allows anonymous users to disable all active plugins. This issue affects versions from 0.72 up to 10.0.17. A patch was released in version 10.0.18 to address this vulnerability. For immediate mitigation, users can remove the install/update.php file as a workaround.

Affected Version(s)

glpi >= 0.72, < 10.0.18

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

https://github.com/glpi-project/glpi/releases/tag/10.0.18

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Jan 10, 2025