Headline
CVE-2023-35940: Unauthenticated access to Dashboard data
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.
High
trasher published GHSA-qrh8-rg45-45fw
Jul 5, 2023
Package
glpi (glpi)
Affected versions
>= 9.5.0
Patched versions
10.0.8
Description
Impact
Incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data.
Patches
Upgrade to 10.0.8
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID
CVE-2023-35940
Weaknesses
CWE-284