CVE-2024-27937: glpi Users emails enumeration
First published: Mon Mar 18 2024(Updated: )
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | >=10.0.0<10.0.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-27937?
CVE-2024-27937 has been classified with a moderate severity as it allows an authenticated user to access sensitive user information.
How do I fix CVE-2024-27937?
To fix CVE-2024-27937, upgrade to GLPI version 10.0.13 or later.
Who is affected by CVE-2024-27937?
All users of GLPI versions from 10.0.0 to 10.0.12 are affected by CVE-2024-27937.
What information can be exposed due to CVE-2024-27937?
CVE-2024-27937 allows an authenticated user to obtain the email addresses of all GLPI users.
Is there a patch available for CVE-2024-27937?
Yes, a patch for CVE-2024-27937 is included in GLPI version 10.0.13.
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi
- version/glpi/10.0.0