Account takeover via Kanban feature

High

cedric-anne published GHSA-5wj6-hp4c-j5q9

Sep 26, 2023

Package

glpi (glpi-project)

Affected versions

>= 9.5.0

Patched versions

10.0.10

Description

Impact

A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account.

Patches

Upgrade to 10.0.10.

For more information

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

Severity

High

8.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N