CVE-2024-48912: GLPI vulnerable to authenticated insecure account deletion
First published: Wed Dec 11 2024(Updated: )
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | >=10.0.0<10.0.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-48912?
CVE-2024-48912 is considered a critical vulnerability due to its potential to allow unauthorized account deletions by authenticated users.
How do I fix CVE-2024-48912?
To fix CVE-2024-48912, upgrade GLPI to version 10.0.17 or later, which contains the necessary patch.
What versions of GLPI are affected by CVE-2024-48912?
CVE-2024-48912 affects GLPI versions starting from 10.0.0 and prior to 10.0.17.
Can an unauthenticated user exploit CVE-2024-48912?
No, only authenticated users can exploit CVE-2024-48912 to delete user accounts.
What should I do if I cannot upgrade GLPI to fix CVE-2024-48912?
If an upgrade is not possible, consider implementing stricter access controls to limit authenticated user permissions until a patch can be applied.
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/severity
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi
- version/glpi/10.0.0