CVE-2022-35914: 
GLPI vulnerability analysis and mitigation

CVE-2022-35914 affects the htmlawed module in GLPI through version 10.0.2, specifically the file /vendor/htmlawed/htmlawed/htmLawedTest.php, which allows unauthenticated PHP code injection. The vulnerability was discovered in July 2022 and publicly disclosed in September 2022 (NIST, GLPI Advisory).

The vulnerability exists in the htmLawedTest.php test script of the third-party HTMLAWED library included in GLPI's vendor folder. The script allows users to control the htmlawed configuration parameters, including a hook function. An attacker can exploit this by using PHP's exec function as the hook, enabling command injection where both the command and parameters are user-controlled (Mayfly Blog). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NIST).

This vulnerability allows unauthenticated remote code execution on affected systems, representing a critical security risk. When GLPI is exposed to the internet, attackers can execute arbitrary commands on the server without requiring authentication (Mayfly Blog).

The vulnerability was patched in GLPI version 10.0.3 and 9.5.9. For immediate mitigation without upgrading, administrators should delete the file /vendor/htmlawed/htmlawed/htmLawedTest.php and restrict direct access to the vendor folder. It's also recommended to limit GLPI access to internal networks or place it behind an authentication portal (GLPI Advisory, Mayfly Blog).

The vulnerability received significant attention from the security community, leading to its inclusion in CISA's Known Exploited Vulnerabilities Catalog. Both the HTMLAWED library vendor and GLPI project responded quickly to patch the vulnerability, with GLPI releasing security updates in September 2022 (Hacker News).