Account takeover through API in GLPI
CVE-2023-41324
8.1HIGH
Key Information:
- Vendor
- Glpi-project
- Status
- Glpi
- Vendor
- CVE Published:
- 27 September 2023
Summary
A security vulnerability in GLPI (Gestionnaire Libre de Parc Informatique) allows API users with read access to user resources to exploit the system and potentially steal other users' accounts. This flaw impacts versions of GLPI before 10.0.10, which users are strongly advised to upgrade to in order to secure their installations. Unfortunately, there are currently no workarounds available to mitigate the risks posed by this vulnerability.
Affected Version(s)
glpi >= 9.3.0, < 10.0.10
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved