CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
37.0%
GLPI is a free asset and IT management software package. Starting in
version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user
can modify emails of any user, and can therefore takeover another user
account through the “forgotten password” feature. By modifying emails, the
user can also receive sensitive data through GLPI notifications. Versions
9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account
takeover can be prevented by deactivating all notifications related to
Forgotten password?
event. However, it will not prevent unauthorized
modification of any user emails.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
37.0%