GLPI (popular in France & Brazil) versions 9.5.0 to 10.0.16 allows hijacking sessions of authenticated users remotely. The details and process of discovering the vulnerability is detailed by @GuilhemRioux here:
https://sensepost.com/blog/2025/leakymetry-circumventing-glpi-authentication/

Along with a vulnerability checking tool: https://github.com/Orange-Cyberdefense/glpwnme

Demo at https://youtu.be/OTaCV4-6qHE