CVE-2024-50339
12.12.2024, 02:06
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
Vendor | Product | Version |
---|---|---|
glpi-project | glpi | 9.5.0 ≤ 𝑥 < 10.0.17 |
𝑥
= Vulnerable software versions

Ubuntu Releases
Common Weakness Enumeration
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CWE-384 - Session FixationAuthenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.