CVE-2024-50339

MEDIUM

GLPI <10.0.17 - Info Disclosure

Title source: llm

Description

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

References (2)

[Vendor Advisory] https://github.com/glpi-project/glpi/security/advisories/GHSA-v977-g4r9-6r72

[Release Notes] https://github.com/glpi-project/glpi/releases/tag/10.0.17

Scores

CVSS v3 5.3

EPSS 0.1756

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287 CWE-79 CWE-384

Status published

Products (1)

glpi-project/glpi 9.5.0 - 10.0.17

Published Dec 12, 2024

Tracked Since Feb 18, 2026