CVE-2020-26212 — Missing Authorization in Glpi

CWE-862 — Missing Authorization1 documents1 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 47.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedNov 25

Description

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assi…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDglpi-project/glpi< 9.5.3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗