Listen to this Post
The vulnerability exists in the event participation logic within modules/events/events_function.php. At line 47, the parameter `user_uuid` is retrieved from the GET request via admFuncVariableIsValid. Later, at line 424, the condition checks if the event is open for participation OR if the current user is a leader using the `||` operator. If the event is open for participation (possibleToParticipate() returns true), this condition passes for any authenticated user, not just leaders. Consequently, the application operates on the `usr_id` of the target user specified in the `user_uuid` parameter rather than enforcing the current user’s identity. This allows any participant to register or cancel participation for arbitrary other users by simply manipulating the `user_uuid` GET parameter.
dailycve form:
Platform: GLPI
Version: 10.0.18
Vulnerability : Authorization Bypass
Severity: MODERATE
date: 2025-07-15
Prediction: Patched (10.0.19)
What Undercode Say:
Analytics:
This vulnerability is a business logic flaw stemming from improper ownership validation. Unlike SQL injection or XSS, which involve input sanitization, this CWE-285 (Improper Authorization) flaw relies on the misuse of logical operators. The `||` (OR) condition fails to enforce that only leaders can act on behalf of others when the event is open. To detect if you are vulnerable, check if participation requests contain the `user_uuid` parameter and if the application logs show actions performed on behalf of users by non-leader accounts.
Check current GLPI version via command line php bin/console --version | grep GLPI Search for the vulnerable function in the codebase grep -r "admFuncVariableIsValid.user_uuid" /path/to/glpi/modules/events/ Audit logs for potential abuse (example log path) grep "event_participation" /var/log/glpi/events.log | grep -v "user_id=$(whoami)"
How Exploit:
An attacker logs in as a standard user. They navigate to an event that is open for registration. Using a tool like Burp Suite or a simple curl command, they intercept the participation request and modify the `user_uuid` parameter to target a victim. The server validates the event status (open) and processes the request using the victim’s ID.
Example curl exploit curl -X POST "http://target-glpi/modules/events/events_function.php" \ -d "action=participate&event_id=123&user_uuid=VICTIM_UUID_HERE" \ -b "COOKIE_HEADER_HERE"
Protection from this CVE:
Immediate remediation requires patching to version 10.0.19 or higher. If immediate patching is impossible, a virtual patch can be applied by modifying the source code to force the user context. For non-leader users, force the `user_uuid` to the current user’s UUID, overriding any user-supplied value.
Example patch snippet (pseudo-code)
if (!$participants->isLeader($gCurrentUserId)) {
$getUserUuid = $gCurrentUser->getValue('usr_uuid');
}
Impact:
- Harassment: Registering unwilling users for events.
- Denial of Access: Canceling other users’ participation.
- Resource Exhaustion: Filling limited event slots with bogus registrations.
- Data Integrity: Manipulating participant lists and associated comments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

