CVE-2023-28634

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.5.13 GLPI versions prior to 10.0.7

Description The issue is related to a lack of authorization, allowing a user with the Technician profile to view and generate a personal token for a Super-Admin. This can be exploited to negotiate a GLPI session and hijack the Super-Admin account, resulting in a privilege escalation.

Recommendations For versions prior to 9.5.13, update to version 9.5.13 or later to resolve the issue. For versions prior to 10.0.7, update to version 10.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the personal token generation feature for users with the Technician profile until a patch is applied.

Exploit

Fix

Improper Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-863

Related Identifiers

ALT-PU-2023-1801

ALT-PU-2023-1932

ALT-PU-2023-2081

ALT-PU-2023-5122

ALT-PU-2023-7633

ALT-PU-2024-8030

ALT-PU-2024-8094

BDU:2023-03380

CVE-2023-28634

GHSA-4279-RXMH-GF39

Affected Products

Alt Linux

Glpi

Red Os

CVE-2023-28634

Weakness Enumeration

Related Identifiers

Affected Products

References · 14