Published on: 09/15/2021 12:00:00 AM UTC
Last Modified on: 09/15/2021 05:43:00 PM UTC
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.
- CVE-2021-39209 has been assigned by [email protected] to track the vulnerability
- Affected Vendor/Software: glpi-project - glpi version < 9.5.6
|Release 9.5.6 · glpi-project/glpi · GitHub|| github.com |
|Bypassable CSRF protection · Advisory · glpi-project/glpi · GitHub|| github.com |
Known Affected Configurations (CPE V2.3)