CVE-2023-35940: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a security vulnerability (CVE-2023-35940) affecting versions from 9.5.0 up to (excluding) 10.0.8. The vulnerability was disclosed on July 5, 2023, and involves an incorrect rights check that allows unauthenticated users to access dashboard data (GitHub Advisory).

The vulnerability is rated as High severity with a CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue stems from improper access control (CWE-284) and authentication (CWE-287) mechanisms in the application. The vulnerability can be exploited remotely through the network, requires low attack complexity, needs no privileges or user interaction, and while the scope is unchanged, it can result in high impact on confidentiality (GitHub Advisory).

The vulnerability allows unauthorized access to dashboard data, potentially exposing sensitive information to unauthenticated users. The impact is primarily on data confidentiality, with no direct effect on system integrity or availability (GitHub Advisory).

The vulnerability has been patched in GLPI version 10.0.8. Organizations using affected versions are strongly recommended to upgrade to version 10.0.8 to address this security issue (GitHub Release).