Description

GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.

Related CPE's

Could not find any relations

References

https://glpi-project.org/pt-br/

https://www.exploit-db.com/exploits/51418

https://www.vulncheck.com/advisories/glpi-username-enumeration-vulnerability-via-lost-password-endpoint

https://www.exploit-db.com/exploits/51418

Weaknesses

[email protected]

Secondary
CWE-203

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Awaiting analysis

Published

2025-12-18T20:15:52.940

24 hours ago

Last modified

2025-12-19T18:00:18.330

3 hours ago