cbcvebase.
CVE-2024-50339
published 2024-12-12

CVE-2024-50339: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the…

PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
19.77%
97.1th percentile
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 9.5.0 < 10.0.1710.0.17

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/dashboard.php?
otherscssphp-glob(
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Leakymetry Authentication Bypass via Session Hijacking (CVE-2024-50339)"; flow:established,to_server; http.uri; content:"/ajax/dashboard.php|3f|"; content:"scssphp-glob|28|"; fast_pattern; http.method; content:"GET"; reference:url,sensepost.com/blog/2025/leakymetry-circumventing-glpi-authentication/; reference:cve,2024-50339; classtype:web-application-attack; sid:2067182; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_50339, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests are unauthenticated HTTP GET requests targeting /ajax/dashboard.php with a query string, containing the string 'scssphp-glob(' — monitor for this pattern as the fast_pattern anchor for the attack.
  • The vulnerability allows an unauthenticated user to retrieve all session IDs and use them to hijack valid sessions — alert on anomalous session reuse from new IPs/user-agents after requests to the dashboard AJAX endpoint.
  • The Emerging Threats rule (SID 2067182) covers perimeter, internal, and SSLDecrypt deployment contexts — ensure coverage is applied in TLS-decrypting inspection paths as well.
  • Affected versions are GLPI 9.5.0 through 10.0.16 — prioritize detection on hosts running these versions; 10.0.17 contains the patch.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.