{"id":"CVE-2020-27663","details":"In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).","modified":"2026-04-11T17:19:10.796572Z","published":"2020-11-26T17:15:11.237Z","related":["GHSA-pqfv-4pvr-55r4"],"references":[{"type":"ADVISORY","url":"https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/glpi-project/glpi","events":[{"introduced":"0"},{"fixed":"54b199dadf73ff97a835a7a3b09a956d9df19b8c"}],"database_specific":{"cpe":"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"9.5.3"}]}}],"versions":["0.90","0.90-RC1","0.90-RC2","0.90-beta1","0.90-beta2","9.1","9.1-RC1","9.1-RC2","9.3-beta","9.4.0","9.4.0-beta","9.4.0-rc1","9.4.0-rc2","9.4.1","9.4.1.1","9.5.0","9.5.0-rc1","9.5.0-rc2","9.5.1","9.5.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-27663.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}