Unrated severityNVD Advisory· Published Dec 11, 2024· Updated Dec 11, 2024

GLPI vulnerable to unauthenticated session hijacking

CVE-2024-50339

Description

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Affected products

Glpi Project/Glpiv5
Range: >= 9.5.0, < 10.0.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/glpi-project/glpi/releases/tag/10.0.17mitrex_refsource_MISC
github.com/glpi-project/glpi/security/advisories/GHSA-v977-g4r9-6r72mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.016
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000