#VU74596 Improper Authorization in GLPI - CVE-2023-28634

Cybersecurity Help s.r.o.

Published: 2023-04-07

Vulnerability identifier: #VU74596

Vulnerability risk: Low

CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-28634

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GLPI
Web applications / CRM systems

Vendor: glpi-project

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to missing authorization that allows a user with the Technician profile to view and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GLPI: 0.83 - 0.90.5, 9.1 - 9.5.12, 10.0.0 rc2 - 10.0.6

External links
https://github.com/glpi-project/glpi/releases/tag/9.5.13
https://github.com/glpi-project/glpi/releases/tag/10.0.7
https://github.com/glpi-project/glpi/security/advisories/GHSA-4279-rxmh-gf39

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in GLPI