Mandriva Linux Security Advisory 2015-167 - Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria. An issue in GLPI before 0.84.8 may allow arbitrary local files to be included by PHP through an autoload function. SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
e3b1d38067d3fcf135b2a6c7247cd928213897e8ebe6436e2ff172e8f2302927