CVE-2019-14666

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.4.4

Description The issue allows for account takeover by exploiting the autocompletion feature in ajax/autocompletion.php due to a lack of proper validation. This enables an attacker to recover the token generated during the password reset process, allowing them to set an arbitrary password for any user, including admin accounts. Additionally, this could be used to obtain sensitive information such as API keys or password hashes.

Recommendations For versions prior to 9.4.4, update to version 9.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax/autocompletion.php endpoint until a patch is applied. Avoid using the password reset functionality until the issue is resolved.