CVE-2023-28634 Information

Description

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7 a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

Reference

https://github.com/glpi-project/glpi/releases/tag/9.5.13 https://github.com/glpi-project/glpi/releases/tag/10.0.7 https://github.com/glpi-project/glpi/security/advisories/GHSA-4279-rxmh-gf39