CVE-2020-27662Authorization Bypass Through User-Controlled Key in Glpi

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 54.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Glpi-project Glpi
Timeline
PublishedNov 26

Description

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDglpi-project/glpi< 9.5.3

🔴Vulnerability Details

1
OSV
CVE-2020-27662: In GLPI before 92020-11-26