GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.
References
Link | Resource |
---|---|
https://github.com/glpi-project/glpi/releases/tag/10.0.7 | Patch Release Notes |
https://github.com/glpi-project/glpi/releases/tag/9.5.13 | Patch Release Notes |
https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-05T14:45:12.075Z
Updated: 2023-04-05T14:45:12.075Z
Reserved: 2023-03-20T12:19:47.207Z
Link: CVE-2023-28632
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-04-05T15:15:06.870
Modified: 2023-04-12T15:34:13.297
Link: CVE-2023-28632
JSON object: View
Redhat Information
No data.
CWE