CVE-2023-42461: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package that provides ITIL Service Desk features, was found to contain a SQL injection vulnerability in versions 10.0.0 through 10.0.9. The vulnerability was discovered in September 2023 and affects the ITIL actors input field in the Ticket form (GitHub Advisory).

The vulnerability is identified as CVE-2023-42461 and has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST NVD, though GitHub's assessment rates it at 6.5 (MEDIUM). The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). The issue specifically affects the ITIL actors input field from the Ticket form, which can be exploited to perform SQL injection attacks (NVD).

The vulnerability allows attackers to potentially access and manipulate the database through SQL injection, with high potential impact on data confidentiality. According to the CVSS metrics, while the attack requires high privileges, it can be executed remotely with low complexity and requires no user interaction (GitHub Advisory).

The recommended mitigation is to upgrade to GLPI version 10.0.10 or later, which contains the security fix. No alternative workarounds have been published for this vulnerability (GitHub Advisory).