Leakymetry: Circumventing GLPI Authentication

A vulnerability in GLPI (9.5.0–10.0.16) allows unauthenticated users to retrieve telemetry and an installation token, craft dashboard links, and inject SCSS that leverages scssphp's glob capability to list PHP session files in /files/_sessions/, enabling session hijacking and privilege escalation; a PoC tool (glpwnme), CVE-2024-50339, and a patched GLPI release (10.0.17) are documented.