CVE-2024-40638

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

20 Nov 2024, 15:30

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
First Time Glpi-project
Glpi-project glpi
References () https://github.com/glpi-project/glpi/security/advisories/GHSA-8843-r3m7-gfqx - () https://github.com/glpi-project/glpi/security/advisories/GHSA-8843-r3m7-gfqx - Vendor Advisory

18 Nov 2024, 17:11

Type Values Removed Values Added
Summary
  • (es) GLPI es un paquete de software gratuito de gestión de activos y TI. Un usuario autenticado puede explotar múltiples vulnerabilidades de inyección SQL. Una de ellas puede utilizarse para alterar los datos de la cuenta de otro usuario y tomar el control de esta. Actualice a la versión 10.0.17.

15 Nov 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-15 18:15

Updated : 2024-11-20 15:30


NVD link : CVE-2024-40638

Mitre link : CVE-2024-40638

CVE.ORG link : CVE-2024-40638


JSON object : View

Products Affected

glpi-project

  • glpi
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')