CVE-2024-48912: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, contains a security vulnerability (CVE-2024-48912) that affects versions from 10.0.0 up to (excluding) 10.0.17. The vulnerability was discovered and disclosed in December 2024, allowing any authenticated user to delete any user account within the system through an application endpoint (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 7.2 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-284 (Improper Access Control). The attack vector is network-based, requires low attack complexity, and can be executed with low privileges and no user interaction (GitHub Advisory).

The vulnerability allows authenticated users to delete any user account in the system, regardless of their privilege level. This could lead to significant disruption of system operations and potential denial of service by removing critical user accounts (Security Online).

The vulnerability has been patched in GLPI version 10.0.17. Users are strongly recommended to upgrade to this version to mitigate the risk. The patch was released as part of a security update that addressed multiple vulnerabilities (GLPI Release).