CVE-2016-7507: Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application. CVE-2016-7509: Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket. Upstream bug: https://github.com/glpi-project/glpi/issues/2483 Upstream patch: https://github.com/glpi-project/glpi/commit/fc9363360a12328057b69a29a9f233f0ab113bf4
Created glpi tracking bugs for this issue: Affects: epel-7 [bug 1473177]
Package no longer present in epel.