Insufficient Session Expiration

CVE-2022-39234

Medium

4.7/10

Summary

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

Advisory Timeline

Published Nov 03, 2022

Insufficient Session Expiration

CVE-2022-39234

Summary

CWE-613 - Insufficient Session Expiration

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS