Sensitive Information Disclosure in GLPI IT Management Software
CVE-2025-25192

6.5MEDIUM

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 25 February 2025

Summary

GLPI, an open-source asset and IT management software, has a vulnerability that allows a low privileged user to enable debug mode and access sensitive information prior to version 10.0.18. This can expose system internals that should remain confidential, potentially compromising the integrity and security of the IT environment. Users are urged to update to version 10.0.18 or apply the recommended workaround of deleting the 'install/update.php' file to mitigate this risk.

Affected Version(s)

glpi < 10.0.18

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

https://github.com/glpi-project/glpi/releases/tag/10.0.18

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Feb 3, 2025