CVE-2021-39210

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.
Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

28 Sep 2021, 16:40

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5
v2 : 3.5
v3 : 6.5
CWE CWE-1004 CWE-732
CPE cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
References (MISC) https://huntr.dev/bounties/b2e99a41-b904-419f-a274-ae383e4925f2/ - (MISC) https://huntr.dev/bounties/b2e99a41-b904-419f-a274-ae383e4925f2/ - Third Party Advisory
References (CONFIRM) https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2 - (CONFIRM) https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2 - Third Party Advisory
References (MISC) https://github.com/glpi-project/glpi/releases/tag/9.5.6 - (MISC) https://github.com/glpi-project/glpi/releases/tag/9.5.6 - Release Notes, Third Party Advisory

15 Sep 2021, 17:43

Type Values Removed Values Added
New CVE

Information

Published : 2021-09-15 17:15

Updated : 2024-02-04 22:08


NVD link : CVE-2021-39210

Mitre link : CVE-2021-39210

CVE.ORG link : CVE-2021-39210


JSON object : View

Products Affected

glpi-project

  • glpi
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag