CVE-2024-50339 CRITICAL

CVE-2024-50339: GLPI vulnerable to unauthenticated session hijacking

Vendor Glpi-Project

Product glpi

Weakness CWE-79 · XSS

Published December 11, 2024

Last update December 11, 2024

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Key dates

02Disclosure timeline

December 11, 2024 CVE published

December 11, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-50339

Related vulnerabilities

04Related CVE

CVE-2024-37950 WordPress Master Popups plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-13743 Wonder Video Embed <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2023-5112 Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS) CVE-2024-9209 WP Search Analytics <= 1.4.10 - Reflected Cross-Site Scripting CVE-2022-36096 XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list