CVE-2024-50339

Published: Dic 12, 2024 Last Modified: Gen 10, 2025 EU-VD ID: EUVD-2024-45179

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: low

Integrity: none

Availability: none

Description

AI Translation Available

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0060

Percentile

0,7th

Updated

EPSS Score Trend (Last 90 Days)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Confidentiality Integrity Availability

Potential Impacts:

Bypass Protection Mechanism Read Application Data Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: AI/ML, Web Based, Web Server

Likelihood of Exploit: High

View CWE Details

287

Improper Authentication

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: ICS/OT, Not Technology-Specific, Web Based

Likelihood of Exploit: High

View CWE Details

384

Session Fixation

Incomplete

Abstraction: Compound Structure: Composite

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Gain Privileges Or Assume Identity

Applicable Platforms

Technologies: Web Based, Web Server

View CWE Details

Application

Glpi by Glpi-Project

Product Information

Vendor Glpi-Project

Product Glpi

Version Range Affected

From 9.5.0 (inclusive)

To 10.0.17 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/glpi-project/glpi/releases/tag/10.0.17

Release Notes

https://github.com/glpi-project/glpi/releases/tag/10.0.17

https://github.com/glpi-project/glpi/security/advisories/GH…

Vendor Advisory

https://github.com/glpi-project/glpi/security/advisories/GHSA-v977-g4r9-6r72

CVE-2024-50339

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Common Consequences

Applicable Platforms

Improper Authentication

Common Consequences

Applicable Platforms

Session Fixation

Common Consequences

Applicable Platforms

Glpi by Glpi-Project

Product Information

Iscriviti alla newsletter