CVE-2023-28634
First published: Wed Apr 05 2023(Updated: )
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI-PROJECT GLPI | >=0.83<9.5.13 | |
| GLPI-PROJECT GLPI | >=10.0.0<10.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28634?
CVE-2023-28634 is a vulnerability in GLPI, an asset and IT management software package, that allows a user with the Technician profile to generate a Personal token for a Super-Admin and hijack their session.
How severe is CVE-2023-28634?
CVE-2023-28634 has a severity rating of 8.8 (high).
Which versions of GLPI are affected by CVE-2023-28634?
Versions 0.83 to 9.5.13 and versions 10.0.0 to 10.0.7 of GLPI are affected by CVE-2023-28634.
How can an attacker exploit CVE-2023-28634?
An attacker can exploit CVE-2023-28634 by using a Personal token generated by a user with Technician profile to negotiate a GLPI session and hijack the Super-Admin's session.
How can I fix CVE-2023-28634?
To fix CVE-2023-28634, upgrade your GLPI installation to version 9.5.13 or 10.0.7.
- collector/nvd-index
- vendor/glpi-project
- canonical/glpi-project glpi
- version/glpi-project glpi/0.83
- version/glpi-project glpi/10.0.0