CVE-2024-47761: GLPI vulnerable to account takeover via the password reset feature
First published: Wed Dec 11 2024(Updated: )
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| >=0.80<10.0.17 | ||
| Teclib GLPI | >=0.80<10.0.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-47761?
CVE-2024-47761 is considered a medium severity vulnerability that could allow unauthorized access to higher privilege accounts.
How do I fix CVE-2024-47761?
To fix CVE-2024-47761, upgrade GLPI to version 10.0.17 or later.
What versions of GLPI are affected by CVE-2024-47761?
CVE-2024-47761 affects GLPI versions from 0.80 through 10.0.16.
Who is impacted by CVE-2024-47761?
Administrators of GLPI who have access to sent notification contents are at risk from CVE-2024-47761.
What should I do if I cannot upgrade from the vulnerable version regarding CVE-2024-47761?
If upgrading is not possible, review your user permissions and limit access to sent notifications to mitigate risks from CVE-2024-47761.
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/tags
- collector/nvd-api
- source/NVD
- vendor/glpi-project
- canonical/teclib glpi
- version/teclib glpi/0.80