CVE-2019-14666

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-14666

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14666.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-14666

Related

GHSA-47hq-pfrr-jh5q
UBUNTU-CVE-2019-14666

Published

2019-09-25T20:15:10Z

Modified

2025-01-14T07:49:46.862892Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

081338b2fa3a98eacb6f7ca380714f34ec0266ff

Affected versions

0.*

0.90

0.90-RC1

0.90-RC2

0.90-beta1

0.90-beta2

0.90.1

9.*

9.1

9.1-RC1

9.1-RC2

9.3-beta

9.4.0

9.4.0-beta

9.4.0-rc1

9.4.0-rc2

9.4.1

9.4.1.1

9.4.2

9.4.3