CVE-2023-46727: 
GLPI vulnerability analysis and mitigation

GLPI (a free asset and IT management software package) was found to contain a SQL injection vulnerability (CVE-2023-46727) affecting versions 10.0.0 through 10.0.11. The vulnerability was discovered in the GLPI inventory endpoint, which could be exploited to perform SQL injection attacks. The issue was disclosed on December 13, 2023, and was patched in version 10.0.11 (GLPI Release, NVD).

The vulnerability exists due to improper validation of user data from inventory agent requests used in SQL queries. The issue received a CVSS v3.1 base score of 9.8 CRITICAL (NIST) and 8.6 HIGH (GitHub), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD, GitHub Advisory).

A successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to execute arbitrary SQL queries against the target server's database. This could potentially lead to unauthorized access, modification, or deletion of data in the database of the affected application (FortiGuard).

The vulnerability has been patched in GLPI version 10.0.11. Users are strongly recommended to upgrade to this version. As a temporary workaround, administrators can disable native inventory functionality if immediate upgrading is not possible (GLPI Release).

The vulnerability was discovered by Nikita Petrov from Positive Technologies and was considered a high-priority security issue. The GLPI project team recommended immediate updates, emphasizing the severity of the vulnerability in their release announcement (GitHub Advisory).