CVE-2025-23046

25.02.2025, 18:15

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Vendor	Product	Version
glpi-project	glpi	9.5.0 ≤ 𝑥 < 10.0.18

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-303 - Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

References

https://github.com/glpi-project/glpi/releases/tag/10.0.18

https://github.com/glpi-project/glpi/security/advisories/GHSA-vfxc-qg3v-j2r5