CVE-2025-52567

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

04 Aug 2025, 18:54

Type	Values Removed	Values Added
References	~~() https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7 -~~	() https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7 - Vendor Advisory
First Time		Glpi-project Glpi-project glpi
CPE		cpe:2.3:a:glpi-project:glpi::::::::

31 Jul 2025, 18:42

Type	Values Removed	Values Added
Summary		(es) GLPI es un paquete gratuito de software de gestión de activos y TI, que permite la gestión de centros de datos, la mesa de ayuda ITIL, el seguimiento de licencias y la auditoría de software. En las versiones 0.84 a 10.0.18, el uso de fuentes RSS o calendarios externos durante la planificación está sujeto a vulnerabilidades SSRF. Los parches de seguridad anteriores, desde GLPI 10.0.4, no eran lo suficientemente robustos para ciertos casos específicos. Esto se ha corregido en la versión 10.0.19.

30 Jul 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-30 14:15

Updated : 2025-08-04 18:54

NVD link : CVE-2025-52567

Mitre link : CVE-2025-52567

CVE.ORG link : CVE-2025-52567

JSON object : View

Products Affected

glpi-project

glpi

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2025-52567", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2025-07-30T14:15:28.193", "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19."}, {"lang": "es", "value": "GLPI es un paquete gratuito de software de gesti\u00f3n de activos y TI, que permite la gesti\u00f3n de centros de datos, la mesa de ayuda ITIL, el seguimiento de licencias y la auditor\u00eda de software. En las versiones 0.84 a 10.0.18, el uso de fuentes RSS o calendarios externos durante la planificaci\u00f3n est\u00e1 sujeto a vulnerabilidades SSRF. Los parches de seguridad anteriores, desde GLPI 10.0.4, no eran lo suficientemente robustos para ciertos casos espec\u00edficos. Esto se ha corregido en la versi\u00f3n 10.0.19."}], "lastModified": "2025-08-04T18:54:47.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4BD4507-6885-4C92-81BB-2A5CD14455C8", "versionEndExcluding": "10.0.19", "versionStartIncluding": "0.84"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}