CVE-2019-13240

MEDIUM

Glpi < 9.4.1 - Password Reset Weakness

Title source: rule

Description

An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.

References (5)

[Third Party Advisory] https://github.com/glpi-project/glpi/releases/tag/9.4.1

[Patch, Third Party Advisory] https://github.com/glpi-project/glpi/compare/1783b78...8e621f6

[Patch, Third Party Advisory] https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7

[Exploit, Third Party Advisory] https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf

Scores

CVSS v3 5.9

EPSS 0.0053

EPSS Percentile 67.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-640

Status published

Products (1)

glpi-project/glpi < 9.4.1

Published Jul 10, 2019

Tracked Since Feb 18, 2026