CVE-2022-39234

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.4

Description The issue is related to insufficient session expiration in the GLPI system, which can allow a remote attacker to impact the system's integrity. A deleted or deactivated user could continue to use their account as long as their cookie is valid.

Recommendations For versions prior to 10.0.4, upgrade to version 10.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the system for deleted or deactivated users until the patch is applied. Avoid relying on cookie validity for session management until the issue is resolved.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

ALT-PU-2022-2614

ALT-PU-2022-2624

ALT-PU-2022-2665

ALT-PU-2022-3008

ALT-PU-2022-3078

ALT-PU-2022-3274

ALT-PU-2023-7633

ALT-PU-2024-8030

ALT-PU-2024-8094

BDU:2024-05807

CVE-2022-39234

GHSA-PGCX-MC58-3GMG

Affected Products

Alt Linux

Glpi

Red Os

CVE-2022-39234

Weakness Enumeration

Related Identifiers

Affected Products

References · 19