CVE-2021-21324Authorization Bypass Through User-Controlled Key in Glpi

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 45.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Glpi-project Glpi
Timeline
PublishedMar 8

Description

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDglpi-project/glpi< 9.5.4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2021-21324: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing2021-03-08