CVE-2023-42462: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing, was found to contain a vulnerability where the document upload process could be exploited to delete files. This vulnerability affects versions from 10.0.0 up to (excluding) 10.0.10, and was disclosed on September 26, 2023 (GitHub Advisory).

The vulnerability has been assigned CVE-2023-42462 and received a CVSS v3.1 base score of 7.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The primary impact of this vulnerability is on system availability, as it allows attackers to delete files through the document upload process. The CVSS metrics indicate high impact on availability while showing no direct impact on confidentiality or integrity (GitHub Advisory).

The recommended mitigation is to upgrade to GLPI version 10.0.10 or later, which contains the patch for this vulnerability. No alternative workarounds have been provided (GitHub Advisory).