CVE-2025-23046 MEDIUM

CVE-2025-23046: GLPI vulnerable to unauthorized authentication by email using the OAuthIMAP plugin

Vendor Glpi-Project
Product glpi
Weakness CWE-303
Published February 25, 2025
Last update February 25, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Key dates

02Disclosure timeline

February 25, 2025 CVE published
February 25, 2025 Record updated