CVE-2024-37147

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.16

Description The issue is related to incorrect access control in the GLPI system, which provides ITIL Service Desk features, licenses tracking, and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. This can allow a remote attacker to bypass current access restriction rules.

Recommendations For versions prior to 10.0.16, upgrade to version 10.0.16 to resolve the issue. As a temporary workaround, consider restricting access to document attachment features to minimize the risk of exploitation.