CVE-2024-37149: 
GLPI vulnerability analysis and mitigation

GLPI, an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing, has been found to contain a vulnerability identified as CVE-2024-37149. The vulnerability was discovered and disclosed on July 10, 2024, affecting all versions from 0.85 up to (excluding) 10.0.16. This security issue allows an authenticated technician user to upload a malicious PHP script and hijack the plugin loader to execute this malicious script (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges. GitHub's assessment assigns a slightly lower CVSS score of 7.2 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-73 (External Control of File Name or Path) (NVD).

The vulnerability poses significant security risks as it allows for remote code execution through the plugin loader. If successfully exploited, an attacker with technician-level access could achieve high levels of confidentiality breach, integrity compromise, and availability impact on the affected system (GitHub Advisory).

The recommended mitigation is to upgrade to GLPI version 10.0.16, which contains the security fix for this vulnerability (GitHub Advisory).