CVE-2023-28632 – This vulnerability allows authenticated GLPI us... (How to Fix)

Q: What is the severity of CVE-2023-28632?

CVE-2023-28632 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated GLPI users to modify any user's email address, enabling account takeover through password reset functionality and potential exposure of sensitive notification data. It affects GLPI installations from version 0.83 up to but excluding versions 9.5.13 and 10.0.7.

📋 TL;DR

This vulnerability allows authenticated GLPI users to modify any user's email address, enabling account takeover through password reset functionality and potential exposure of sensitive notification data. It affects GLPI installations from version 0.83 up to but excluding versions 9.5.13 and 10.0.7.

💻 Affected Systems

Products:

GLPI

Versions: 0.83 to 9.5.12, and 10.0.0 to 10.0.6

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: All GLPI installations with default configurations are vulnerable. Requires authenticated user access.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of any user account including administrators, leading to full system control, data theft, and privilege escalation across the GLPI instance.

🟠

Likely Case

Unauthorized email modification leading to account takeover of regular users, exposure of sensitive notifications, and potential lateral movement within the system.

🟢

If Mitigated

Limited to unauthorized email modification without account takeover if password reset notifications are disabled, but still allows email spoofing and potential data exposure.

🌐 Internet-Facing: HIGH - Internet-facing GLPI instances are directly exploitable by authenticated attackers, enabling remote account compromise.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this to escalate privileges and compromise other user accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.13 or 10.0.7

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x

Restart Required: No

Instructions:

1. Backup your GLPI database and files. 2. Download the patched version (9.5.13 or 10.0.7) from the official GLPI repository. 3. Follow the GLPI upgrade documentation for your version. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable Password Reset Notifications

all

Prevents account takeover by disabling email notifications for password reset events, but does not prevent unauthorized email modification.

Navigate to GLPI Setup > Notifications > Event > 'Forgotten password?' and disable all notification methods

🧯 If You Can't Patch

Implement strict access controls and monitor user email modification activities
Disable password reset functionality entirely and require manual password resets by administrators

🔍 How to Verify

Check if Vulnerable:

Check GLPI version via the web interface (Setup > About) or by examining the GLPI installation files. If version is between 0.83-9.5.12 or 10.0.0-10.0.6, the system is vulnerable.

Check Version:

Check the GLPI web interface at /front/central.php or examine the GLPI files for version information

Verify Fix Applied:

After patching, verify the version shows 9.5.13 or 10.0.7. Test that authenticated users cannot modify other users' email addresses.

📡 Detection & Monitoring

Log Indicators:

Multiple email modification events from single user accounts
Unusual password reset requests
User profile modification logs showing email changes

Network Indicators:

HTTP POST requests to user profile update endpoints from unauthorized sources

SIEM Query:

source="glpi_logs" AND (event="user_email_change" OR event="password_reset_request") | stats count by user, target_user

📊 Metadata

CVE ID: CVE-2023-28632

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-269

Published: April 5, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/glpi-project/glpi/releases/tag/10.0.7 Patch,Release Notes
https://github.com/glpi-project/glpi/releases/tag/9.5.13 Patch,Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x Vendor Advisory
https://github.com/glpi-project/glpi/releases/tag/10.0.7 Patch,Release Notes
https://github.com/glpi-project/glpi/releases/tag/9.5.13 Patch,Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28632, you might also want to check these: