GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
History

Wed, 11 Dec 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 11 Dec 2024 18:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
Title GLPI vulnerable to unauthenticated session hijacking
Weaknesses CWE-287
CWE-79
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-11T17:48:42.230Z

Updated: 2024-12-11T18:31:59.719Z

Reserved: 2024-10-22T17:54:40.954Z

Link: CVE-2024-50339

cve-icon Vulnrichment

Updated: 2024-12-11T18:31:38.303Z

cve-icon NVD

Status : Received

Published: 2024-12-12T02:06:19.147

Modified: 2024-12-12T02:06:19.147

Link: CVE-2024-50339

cve-icon Redhat

No data.