CVE-2020-11033
MEDIUMGLPI 9.1-9.4.5 - Authenticated Exposure of Sensitive Information via API User Endpoint
Title source: llmDescription
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/
Scores
CVSS v3
6.6
EPSS
0.0045
EPSS Percentile
63.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
Details
CWE
CWE-200
Status
published
Products (3)
fedoraproject/fedora
31
fedoraproject/fedora
32
glpi-project/glpi
9.1 - 9.4.6
Published
May 05, 2020
Tracked Since
Feb 18, 2026