cbcvebase.
CVE-2019-14666
published 2019-09-25

CVE-2019-14666: GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery…

PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.23%
80.6th percentile
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

Affected

1 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi<= 9.4.3

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.