CVE-2019-13240
MEDIUMGLPI < 9.4.1 - Weak Password Recovery Mechanism for Forgotten Password
Title source: llmDescription
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/releases/tag/9.4.1
Patch, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/compare/1783b78...8e621f6
Patch, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6
Patch, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7
Exploit, Third Party Advisory x_refsource_misc
https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf
Scores
CVSS v3
5.9
EPSS
0.0175
EPSS Percentile
74.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-640
Status
published
Products (1)
glpi-project/glpi
< 9.4.1
Published
Jul 10, 2019
Tracked Since
Feb 18, 2026