CVE-2023-28634

2023-04-0517:15:07

CWE-863

CWE-285

[email protected]

web.nvd.nist.gov

glpi

privilege escalation

super-admin

personal token

patch

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.7%

JSON

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.