CVE-2024-40638

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-40638

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40638.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-40638

Aliases

GHSA-8843-r3m7-gfqx

Downstream

UBUNTU-CVE-2024-40638

Published

2024-11-15T18:06:36.649Z

Modified

2026-04-10T05:15:25.291321Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

GLPI allows account takeover via SQL Injection in AJAX scripts

Details

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40638.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

b094bc0c617761d6e7eee900950f24cea658d560

Fixed

08ee4d266768dc1f76cb6c716d7fd118d39676d9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40638.json"