Privilege Escalation from technician to super-admin
Package
glpi
(glpi-project)
Affected versions
>= 0.83
Patched versions
9.5.13, 10.0.7
Description
Credits
-
smaury Reporter
smaury
Reporter
Impact
A user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possibile to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation.
Patches
Upgrade to 10.0.7.
For more information
If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.