CVE-2023-28632

Name of the Vulnerable Software and Affected Versions GLPI versions 0.83 through 9.5.12 GLPI versions 10.0.0 through 10.0.6

Description The issue is related to incorrect privilege management in GLPI, allowing an authenticated user to modify emails of any other user, including the administrator's email. This can lead to account takeover through the "forgotten password" feature and potentially allow an attacker to receive sensitive data through GLPI notifications.

Recommendations For GLPI versions 0.83 through 9.5.12, update to version 9.5.13 to resolve the issue. For GLPI versions 10.0.0 through 10.0.6, update to version 10.0.7 to resolve the issue. As a temporary workaround, consider deactivating all notifications related to the Forgotten password? event to prevent account takeover, although this will not prevent unauthorized modification of user emails.