Unrated severityNVD Advisory· Published Dec 11, 2024· Updated Dec 11, 2024

GLPI vulnerable to account takeover without privilege escalation through the API

CVE-2024-47758

Description

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

Affected products

Glpi Project/Glpiv5
Range: >= 9.3.0, < 10.0.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/glpi-project/glpi/releases/tag/10.0.17mitrex_refsource_MISC
github.com/glpi-project/glpi/security/advisories/GHSA-3r4x-6pmx-phwrmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000