5.9

CVE-2019-13240

Exploit
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Glpi-projectGlpi Version < 9.4.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.75% 0.749
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-640 Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7
Patch
Third Party Advisory
https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6
Patch
Third Party Advisory
https://github.com/glpi-project/glpi/compare/1783b78...8e621f6
Patch
Third Party Advisory
https://github.com/glpi-project/glpi/releases/tag/9.4.1
Third Party Advisory
https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf
Third Party Advisory
Exploit