CVE-2023-41323
Users login enumeration by unauthenticated user in GLPI
In short
An attacker without a user account can discover valid usernames in GLPI by exploiting how the system handles login attempts, potentially using this information for further attacks like password guessing.
Technical detail
Unauthenticated user enumeration vulnerability in GLPI allows attackers to determine valid usernames through login response analysis or similar timing/response-based techniques. This information disclosure (CWE-200) enables account enumeration without authentication, facilitating subsequent credential attacks and reducing attack complexity.
Summary generated and translated by AI from the official description.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
glpi-project · glpiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →