CVE-2024-47760: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a critical security vulnerability (CVE-2024-47760) affecting versions from 9.1.0 up to (excluding) 10.0.17. The vulnerability was discovered and disclosed in December 2024, allowing technicians with API access to potentially take control of accounts with higher privileges (GLPI Advisory, NVD).

The vulnerability has received a CVSS v4.0 base score of 7.5 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Additionally, it received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-284 (Improper Access Control) (NVD).

The vulnerability enables technicians with API access to escalate their privileges and take control of accounts with higher permissions, potentially including administrative accounts. This could lead to unauthorized access to sensitive information and system controls (Security Online).

The vulnerability has been patched in GLPI version 10.0.17. Organizations using affected versions are strongly recommended to upgrade to this latest version immediately to mitigate the risk (GLPI Release).

The vulnerability was part of a larger security update that addressed multiple critical issues in GLPI. The security community has emphasized the importance of immediate updates, particularly given the potential for privilege escalation and account takeover (Security Online).