Vulnerability Details : CVE-2019-13240
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
Products affected by CVE-2019-13240
- cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-13240
0.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-13240
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2019-13240
-
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-13240
-
https://www.synacktiv.com/ressources/advisories/GLPI_9.4.0_unsafe_reset.pdf
Exploit;Third Party Advisory
-
https://github.com/glpi-project/glpi/releases/tag/9.4.1
Release 9.4.1 · glpi-project/glpi · GitHubThird Party Advisory
-
https://github.com/glpi-project/glpi/commit/5da9f99b2d81713b1e36016b47ce656a33648bc7
Fix password forget token check; fixes #5386 · glpi-project/glpi@5da9f99 · GitHubPatch;Third Party Advisory
-
https://github.com/glpi-project/glpi/compare/1783b78...8e621f6
Comparing 1783b78...8e621f6 · glpi-project/glpi · GitHubPatch;Third Party Advisory
-
https://github.com/glpi-project/glpi/commit/86a43ae47b3dd844947f40a2ffcf1a36e53dbba6
Password token date was not removed · glpi-project/glpi@86a43ae · GitHubPatch;Third Party Advisory
Jump to