GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
History

Fri, 15 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
Vendors & Products Glpi-project
Glpi-project glpi
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 15 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
Title GLPI allows account takeover via SQL Injection in AJAX scripts
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-15T18:06:36.649Z

Updated: 2024-11-19T14:11:25.885Z

Reserved: 2024-07-08T16:13:15.511Z

Link: CVE-2024-40638

cve-icon Vulnrichment

Updated: 2024-11-15T18:22:33.205Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-15T18:15:27.457

Modified: 2024-11-20T15:30:37.387

Link: CVE-2024-40638

cve-icon Redhat

No data.