CVE-2020-11033

Name of the Vulnerable Software and Affected Versions GLPI versions 9.1 through 9.4.6

Description The issue allows any API user with READ right on User itemtype to access the full list of users when querying "apirest.php/User". The response contains all api tokens which can be used for privileges escalations or to read/update/delete data normally non accessible to the current user, and all personal tokens can display another user's planning. Exploiting this requires the API to be enabled and a technician account.

Recommendations For versions 9.1 through 9.4.6, update to version 9.4.6 to resolve the issue. As a temporary workaround, consider adding an application token to mitigate the vulnerability.