Account takeover via Kanban feature in GLPI
CVE-2023-41326
8.1HIGH
Key Information:
- Vendor
- Glpi-project
- Status
- Glpi
- Vendor
- CVE Published:
- 27 September 2023
Summary
GLPI, a widely used free asset and IT management software, has a vulnerability that allows an authenticated user to exploit the Kanban feature. This exploitation can lead to unauthorized modifications of user fields, ultimately allowing the attacker to gain access to another user’s account. Users are strongly advised to upgrade to version 10.0.10 to ensure their accounts remain secure, as no effective workarounds exist to mitigate this risk.
Affected Version(s)
glpi >= 9.5.0, < 10.0.10
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved