Vulnerability Description
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 0.83, < 9.5.13 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/releases/tag/10.0.7PatchRelease Notes
- https://github.com/glpi-project/glpi/releases/tag/9.5.13PatchRelease Notes
- https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9xVendor Advisory
- https://github.com/glpi-project/glpi/releases/tag/10.0.7PatchRelease Notes
- https://github.com/glpi-project/glpi/releases/tag/9.5.13PatchRelease Notes
- https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9xVendor Advisory
FAQ
What is CVE-2023-28632?
CVE-2023-28632 is a vulnerability with a CVSS score of 8.1 (HIGH). GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeov...
How severe is CVE-2023-28632?
CVE-2023-28632 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28632?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.