CVE-2025-53008 — Insufficiently Protected Credentials in Glpi

CWE-522 — Insufficiently Protected Credentials CWE-401 — Missing Release of Memory after Effective Lifetime3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 80.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi Msrc Cbl2 Kernel 5.15.186.1-1 ON CBL Mariner 2.0 Msrc Cbl2 Kernel 5.15.200.1-1 ON CBL Mariner 2.0 +1 more

Timeline

PublishedJul 30

Description

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDglpi-project/glpi9.3.1 — 10.0.19

▶CVEListV5glpi-project/glpi>= 9.3.1, < 10.0.19

▶msrcmsrc/cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_kernel_5.15.202.1-1_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2025-53008: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features,↗2025-07-30

▶

📋Vendor Advisories

Microsoft

cifs: fix potential memory leaks in session setup↗2025-03-11

▶