CVE-2023-37278: 
GLPI vulnerability analysis and mitigation

GLPI, a Free Asset and IT Management Software package for Data center management, ITIL Service Desk, licenses tracking and software auditing, was found to contain a SQL injection vulnerability (CVE-2023-37278). The vulnerability was discovered in the dashboard administration functionality and affects versions 9.5.0 and above. This security issue was patched in version 10.0.9, released on July 11, 2023 (GitHub Release, GitHub Advisory).

The vulnerability is classified as a SQL injection (CWE-89) with a CVSS v3.1 base score of 6.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N. The issue allows an administrator to trigger SQL injection via dashboards administration. The vulnerability requires high privileges to exploit but can be executed remotely with low attack complexity and no user interaction (GitHub Advisory, NVD).

The vulnerability has a high impact on confidentiality but no direct impact on integrity or availability. Due to the changed scope characteristic, the vulnerability could potentially affect resources beyond its security scope (GitHub Advisory).

The recommended mitigation is to upgrade to GLPI version 10.0.9 or later, which contains the security fix for this vulnerability (GitHub Release).