PT-2023-6824 · Glpi+2 · Glpi+2

Jbms-Syn

·

Published

2023-09-26

·

Updated

2024-05-22

·

CVE-2023-41322

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.10
Description The issue is related to inadequate access control in the GLPI system, which provides ITIL Service Desk features, licenses tracking, and software auditing. A user with write access to another user's account can make requests to change the latter's password and then take control of their account. This can allow a remote attacker to gain unauthorized access to another user's account.
Recommendations For versions prior to 10.0.10, upgrade to version 10.0.10 to resolve the issue. As a temporary workaround, consider restricting write access to user accounts to minimize the risk of exploitation.

Exploit

Fix

Improper Access Control

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-284CWE-269

Related Identifiers

ALT-PU-2023-6186
ALT-PU-2023-7633
ALT-PU-2024-8030
BDU:2023-07698
CVE-2023-41322
GHSA-9J8M-7563-8XVR

Affected Products

Alt Linux
Glpi
Red Os