CVE-2024-47761: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique) versions from 0.80 to prior to 10.0.17 contain a security vulnerability that allows privilege escalation through password reset functionality. The vulnerability was discovered and disclosed on December 11, 2024, affecting the authentication mechanism of GLPI, a free asset and IT management software package (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is related to improper authentication (CWE-287) and allows administrators with access to sent notifications contents to potentially compromise accounts with higher privileges (NVD).

When exploited, this vulnerability enables an administrator with access to sent notifications contents to take control of accounts with higher privileges, potentially leading to unauthorized access to sensitive information and system controls (GitHub Advisory).

The vulnerability has been patched in GLPI version 10.0.17. Users are strongly recommended to upgrade to this version to mitigate the security risk (GitHub Release).

The vulnerability was part of a larger security update that addressed multiple critical vulnerabilities in GLPI. The release of version 10.0.17 was marked as a critical security update, with the vendor strongly recommending immediate upgrade (Security Online).