6.5
CVE-2024-27930
- EPSS 1.14%
- Veröffentlicht 18.03.2024 16:15:08
- Zuletzt bearbeitet 02.01.2025 16:19:42
- CVE-Watchlists
- Unerledigt
Sensitive fields access through dropdowns in GLPI
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Glpi-project ≫ Glpi Version >= 0.78 < 10.0.13
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.14% | 0.626 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
https://borelenzo.github.io/stuff/2024/02/29/glpi-pwned.html
https://github.com/glpi-project/glpi/commit/1942b70b2422fff51822f6eb3af500c94760871e
https://github.com/glpi-project/glpi/releases/tag/10.0.13
https://github.com/glpi-project/glpi/security/advisories/GHSA-82vv-j9pr-qmwq