CVE-2024-40638

Published Nov 15, 2024

Last updated 3 months ago

CVSS high 8.8

Overview

Description: GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

security-advisories@github.com: CWE-89

Hype score: Not currently trending

Did you know? #GLPI 10.0.17 is out! 🚀 This release fixes critical security issues, including: 🔒 Unauthenticated session hijacking (CVE-2024-50339) 🔒 SQL injection & account takeovers (CVE-2024-40638, CVE-2024-47758) 🔒 Multiple XSS vulnerabilities Update now! #Cybersecurit
@Hawatel_company
19 Dec 2024
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EF1CB35A-7DA0-4413-83E8-C8AFA528212D",
            "versionEndExcluding": "10.0.17",
            "versionStartIncluding": "0.85"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References