CVE-2019-13240

EUVD-2019-4747
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
glpi-projectglpi
𝑥
< 9.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
glpi
bionic
dne
cosmic
dne
disco
dne
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7
https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6
https://github.com/glpi-project/glpi/compare/1783b78...8e621f6
https://github.com/glpi-project/glpi/releases/tag/9.4.1
https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf
https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7
https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6
https://github.com/glpi-project/glpi/compare/1783b78...8e621f6
https://github.com/glpi-project/glpi/releases/tag/9.4.1
https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf