CVE-2023-28634

CVSS V2 None CVSS V3 None
Description
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
Overview
  • CVE ID
  • CVE-2023-28634
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-04-05T17:15:07
  • Last Modified Date
  • 2023-04-12T17:14:36
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:* 1 OR 0.83 9.5.13
cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:* 1 OR 10.0.0 10.0.7
History
Created Old Value New Value Data Type Notes
2023-04-17 04:12:03 Added to TrackCVE
2023-04-17 04:12:05 Weakness Enumeration new