CVE-2024-11955

EUVD-2024-53934

25.02.2025, 16:15

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
VulDB	CNA	4.3 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Affected Products (NVD)

Vendor	Product	Version
glpi-project	glpi	0.85 ≤ 𝑥 < 10.0.18

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

glpi

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	needs-triage

Known Exploits!

https://vuldb.com/?submit.451775

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/glpi-project/glpi/releases/tag/10.0.18

https://github.com/glpi-project/glpi/security/advisories/GHSA-g5fm-jq4j-c2c7

https://vuldb.com/?ctiid.296809

https://vuldb.com/?id.296809

https://vuldb.com/?submit.451775