Improper Privilege Management in GLPI - CVE-2023-28632

 

Improper Privilege Management in GLPI - CVE-2023-28632

Published: April 7, 2023


Vulnerability identifier: #VU74593
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-28632
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: glpi-project
Affected software:
GLPI

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper privilege management. A remote authenticated user can modify emails of any other user of the application, including administrator's email. This vulnerability can be used to take over an arbitrary account using the "forgotten password" feature and restoring the password to the modified email address.


How to mitigate CVE-2023-28632

Install updates from vendor's website.

Sources