CVE-2019-13240 — Weak Password Recovery Mechanism for Forgotten Password in Glpi

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password5 documents3 sources

Severity

5.9MEDIUMNVD

EPSS

0.5%

top 32.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedJul 10

Latest updateMay 24

Description

An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

▶NVDglpi-project/glpi< 9.4.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-59hh-4792-xv6g: An issue was discovered in GLPI before 9↗2022-05-24

▶

💬Community

Bugzilla

CVE-2019-13240 glpi: unsafe password reset [epel-7]↗2019-07-11

▶

Bugzilla

CVE-2019-13240 GLPI: unsafe password reset↗2019-07-11

▶

Bugzilla

CVE-2019-13240 glpi: unsafe password reset [fedora-all]↗2019-07-11

▶