CVE-2024-28240

Name of the Vulnerable Software and Affected Versions: GLPI-Agent versions prior to 1.7.2

Description: A vulnerability in the GLPI-Agent, specifically affecting installations on Windows via MSI packaging, allows a local user to cause a denial of service by replacing the GLPI server URL with an incorrect one or by disabling the service. Furthermore, if the Deploy task is installed, a malicious local user can trigger privilege escalation by configuring a malicious server with its own deploy task payload. This issue is due to insufficient input validation.

Recommendations: For versions prior to 1.7.2, update to version 1.7.2 to resolve the issue. As a temporary workaround, edit the GLPI-Agent related key under HKEY LOCAL MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall and add a SystemComponent DWORD value setting it to 1 to hide GLPI-Agent from installed applications.