GLPI allows account takeover via SQL Injection in AJAX scripts
CVE-2024-40638

8.8HIGH

Key Information:

Vendor: Glpi-project
Status: Glpi
Vendor: CVE Published:; 15 November 2024

Summary

Multiple SQL injection vulnerabilities have been identified in GLPI, a widely used open-source asset and IT management software package. These vulnerabilities can be exploited by authenticated users, enabling them to manipulate account data and potentially take control of another user's account. It is essential for users of GLPI to upgrade to version 10.0.17 to mitigate these risks and secure their systems against unauthorized access.

Affected Version(s)

glpi >= 0.85, < 10.0.17

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2024