CVE-2023-53943

MEDIUM

GLPI 9.5.7 - Username Enumeration via Lost Password Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53943. PoCs published by Rafael B..

AI-analyzed exploit summary This script automates username enumeration in GLPI by sending password reset requests for a list of emails and checking the response for a success message. It handles CSRF tokens and session cookies to maintain valid requests.

Description

GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.

Exploits (1)

exploitdb SCANNER
by Rafael B. · pythonwebappsphp
https://www.exploit-db.com/exploits/51418

This script automates username enumeration in GLPI by sending password reset requests for a list of emails and checking the response for a success message. It handles CSRF tokens and session cookies to maintain valid requests.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GLPI versions 9.1 to 9.5.7
No auth needed
Prerequisites: Access to the GLPI lost password endpoint · A list of email addresses to test
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.3
EPSS 0.0030
EPSS Percentile 21.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-203
Status published
Products (2)
glpi-project/glpi 9.5.7
Glpi-Project/GLPI 9.5.7
Published Dec 18, 2025
Tracked Since Feb 18, 2026