Cyber Resilience

CVE-2024-50339

Critical

Published: 12 December 2024

Published
12 December 2024
Modified
10 January 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1976 95.6th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50339 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GLPI, an open-source IT asset and service management application, contains a session management flaw in versions 9.5.0 through 10.0.16. An unauthenticated remote attacker can enumerate all active session identifiers, enabling the theft of any valid user session. The issue is tracked under CWE-287 and CWE-384 and carries a CVSS 4.0 score of 9.3.

Because the attack requires no credentials or user interaction, an adversary can obtain full access to any authenticated session, including those belonging to administrators. Successful exploitation grants the ability to view, modify, or delete arbitrary data within the GLPI instance and potentially pivot further into connected systems.

The project’s security advisory and the 10.0.17 release notes state that the vulnerability is resolved by updating to version 10.0.17 or later. The current EPSS score of 0.1976, with a recorded peak of 0.2196, indicates moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a…

more

patch for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
9.5.0 — 10.0.17

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287 CWE-79

Penetration testing probes authentication mechanisms for bypasses, allowing identification and fixing of improper authentication issues.

addresses: CWE-384

Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

References