CVE-2024-47760: GLPI vulnerable to account takeover via API

7.5 CVSS

Description

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Classification

CVE ID: CVE-2024-47760

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

Affected Products

Vendor: glpi-project

Product: glpi

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 21.56% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-r3mx-fr5f-gwgp
https://github.com/glpi-project/glpi/releases/tag/10.0.17

Timeline

2024-12-12 00:31:13 UTC
CVE

GLPI vulnerable to account takeover via API