Headline
CVE-2023-35939: Unauthorized access to Dashboard data
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.
High
trasher published GHSA-cjcx-pwcx-v34c
Jul 5, 2023
Package
glpi (glpi)
Affected versions
>= 9.5.0
Patched versions
10.0.8
Description
Impact
Incorrect rights check on a file allows interact, modify, or see dashboard data by an authenticated user.
Patches
Upgrade to 10.0.8
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
High
8.1
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE ID
CVE-2023-35939
Weaknesses
CWE-284
Credits
- flegastelois Analyst