Main Vulnerability Database Vulnerabilities #VU74593

#VU74593 Improper Privilege Management in GLPI - CVE-2023-28632

Published: April 7, 2023

Vulnerability identifier: #VU74593

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-28632

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GLPI

Software vendor:
glpi-project

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper privilege management. A remote authenticated user can modify emails of any other user of the application, including administrator's email. This vulnerability can be used to take over an arbitrary account using the "forgotten password" feature and restoring the password to the modified email address.

Remediation

Install updates from vendor's website.

External links

https://github.com/glpi-project/glpi/releases/tag/9.5.13
https://github.com/glpi-project/glpi/releases/tag/10.0.7
https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x

#VU74593 Improper Privilege Management in GLPI - CVE-2023-28632

Description

Remediation

External links

Please verify you're human