CVE-2023-28632: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a critical security vulnerability (CVE-2023-28632) affecting versions from 0.83 up to versions 9.5.13 and 10.0.7. The vulnerability was disclosed on April 5, 2023, allowing authenticated users to modify emails of any user in the system (GLPI Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The technical assessment indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, and needs no user interaction. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

The vulnerability allows an authenticated user to modify email addresses of any user in the system, enabling two significant attack vectors: account takeover through the 'forgotten password' feature and unauthorized access to sensitive data through GLPI notifications. This creates a serious security breach in the system's user management and data protection capabilities (GLPI Advisory).

The vulnerability has been patched in GLPI versions 9.5.13 and 10.0.7. As a temporary workaround, administrators can prevent account takeover by deactivating all notifications related to the 'Forgotten password?' event. However, this workaround will not prevent unauthorized modification of user emails. The recommended action is to upgrade to the patched versions (GLPI Release).