UBUNTU-CVE-2019-14666

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2019-14666

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-14666.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-14666

Related

CVE-2019-14666

Published

2019-09-25T20:15:00Z

Modified

2025-01-13T10:21:58Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

References

Affected packages

Ubuntu:Pro:16.04:LTS / glpi

Package

Name: glpi
Purl: pkg:deb/ubuntu/glpi@0.84.8+dfsg.1-1ubuntu1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.84.8+dfsg.1-1

0.84.8+dfsg.1-1ubuntu1

Ecosystem specific

{
    "ubuntu_priority": "low"
}