CVE-2023-28849: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a critical vulnerability (CVE-2023-28849) affecting versions 10.0.0 through 10.0.7. The vulnerability was discovered in the GLPI inventory endpoint, which by default requires no authentication, making it particularly concerning. The issue was disclosed and patched on April 5, 2023, with the release of version 10.0.7 (GitHub Release, NIST NVD).

The vulnerability combines two critical security issues: SQL injection and Stored Cross-Site Scripting (XSS) through the inventory agent request functionality. The severity of this vulnerability is rated as Critical with a CVSS v3.1 base score of 10.0 according to GitHub's assessment, while NIST rates it as Medium with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability is tracked under both CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (GitHub Advisory).

The vulnerability allows attackers to perform SQL injection attacks through the inventory endpoint, potentially accessing or manipulating sensitive database information. Additionally, the stored XSS component enables attackers to inject malicious code that could be executed when other users access the affected system. The lack of authentication requirement by default on the inventory endpoint significantly increases the potential impact (GitHub Advisory).

The primary mitigation is to upgrade to GLPI version 10.0.7, which contains the security patch for this vulnerability. For users unable to upgrade immediately, a workaround is available by disabling the native inventory feature. This temporary solution can help prevent exploitation while planning for the upgrade (GitHub Release, GitHub Advisory).