CVE-2024-47758: GLPI vulnerable to account takeover without privilege escalation through the API
First published: Wed Dec 11 2024(Updated: )
GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | >9.3.0<=10.0.16 | |
| GLPI | >=9.3.0<10.0.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-47758?
CVE-2024-47758 is classified as a medium severity vulnerability.
How do I fix CVE-2024-47758?
To fix CVE-2024-47758, update GLPI to version 10.0.17 or later.
Who is affected by CVE-2024-47758?
CVE-2024-47758 affects authenticated users of GLPI versions 9.3.0 through 10.0.16.
What kind of attack is possible with CVE-2024-47758?
An attacker can use the API to take control of any user with the same or lower privilege levels.
Is CVE-2024-47758 fixed in previous versions prior to 10.0.17?
No, CVE-2024-47758 is not fixed in any version prior to 10.0.17.
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/source
- agent/last-modified-date
- agent/severity
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- vendor/glpi
- canonical/glpi
- vendor/glpi-project
- version/glpi/9.3.0