CVE-2023-43813: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a SQL injection vulnerability (CVE-2023-43813) affecting versions from 10.0.0 up to (but not including) version 10.0.11. The vulnerability was discovered and disclosed in December 2023, impacting the saved search feature functionality (GLPI Advisory).

The vulnerability is classified as a SQL injection (CWE-89) that affects the saved search feature. It received a CVSS v3.1 base score of 8.8 (HIGH) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while GitHub assessed it with a score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability requires low privileges and no user interaction to exploit (NVD).

The vulnerability allows an authenticated attacker to perform SQL injection attacks through the saved search feature, potentially leading to unauthorized access to sensitive data stored in the database. The high confidentiality impact rating suggests that the vulnerability could result in significant data exposure (GLPI Advisory).

The vulnerability has been patched in GLPI version 10.0.11. Organizations are strongly recommended to upgrade to this version or later to address the security issue. The fix was released as part of a security update that addressed multiple vulnerabilities (GLPI Release).

The release of version 10.0.11 received positive community engagement, with multiple users showing support for the security fixes. The GitHub release announcement received positive reactions from the community, including 10 thumbs up and 8 celebration reactions (GLPI Release).