CVE-2022-35946: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking, and software auditing, was found to contain a vulnerability identified as CVE-2022-35946. The vulnerability was discovered and disclosed on September 14, 2022, affecting all versions prior to 10.0.3. The issue exists in the plugin controller where request input is not properly validated, potentially allowing access to the low-level API of the Plugin class (GitHub Advisory).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 6.5 (MEDIUM) according to NVD, and 5.5 (MEDIUM) according to GitHub. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N, indicating that the vulnerability is network-accessible, requires high privileges, but no user interaction, and can affect both confidentiality and integrity of the system (NVD).

The vulnerability allows an attacker with 'General setup' update rights to alter database data through improper input validation in the plugin controller. This can lead to unauthorized data modification and potential access to sensitive information (GitHub Advisory).

Users are advised to upgrade to GLPI version 10.0.3 or later. For those unable to upgrade immediately, a temporary workaround is available by removing the front/plugin.form.php script from the installation (GitHub Advisory).