CVE-2026-23624

{"id": "CVE-2026-23624", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-04T18:16:08.913", "references": [{"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."}, {"lang": "es", "value": "GLPI es un paquete de software gratuito de gesti\u00f3n de activos y TI. En versiones desde la 0.71 hasta antes de la 10.0.23 y antes de la 11.0.5, cuando se utiliza la autenticaci\u00f3n remota, basada en variables SSO, un usuario puede robar una sesi\u00f3n GLPI previamente abierta por otro usuario en la misma m\u00e1quina. Este problema ha sido parcheado en las versiones ."}], "lastModified": "2026-02-06T21:18:17.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D09C27B0-C82A-4F14-845D-FF7991EDBBE4", "versionEndExcluding": "10.0.23", "versionStartIncluding": "0.71"}, {"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C13BB849-4C19-473A-B105-57915EE59C49", "versionEndExcluding": "11.0.5", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}