CVE-2024-50339: GLPI vulnerable to unauthenticated session hijacking
First published: Wed Dec 11 2024(Updated: )
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | >=9.5.0<10.0.17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-50339?
CVE-2024-50339 is considered a critical vulnerability due to the potential for session hijacking by unauthenticated users.
How do I fix CVE-2024-50339?
To fix CVE-2024-50339, upgrade to GLPI version 10.0.17 or later, where the vulnerability has been patched.
Who is affected by CVE-2024-50339?
CVE-2024-50339 affects all users of GLPI versions 9.5.0 to 10.0.16.
What does CVE-2024-50339 allow an attacker to do?
CVE-2024-50339 allows an attacker to retrieve session IDs and potentially hijack valid user sessions.
Is CVE-2024-50339 a remote vulnerability?
Yes, CVE-2024-50339 can be exploited remotely by unauthenticated users.
- agent/references
- agent/title
- agent/first-publish-date
- agent/description
- agent/type
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi
- version/glpi/9.5.0