CVE-2023-41320
Published: 27 September 2023
Summary
CVE-2023-41320 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GLPI, an open-source IT asset and service management application, contains a SQL injection vulnerability in its UI layout preferences management component. The flaw, tracked as CWE-89, allows an authenticated user to manipulate stored preferences in a way that injects arbitrary SQL, which can be leveraged to extract or modify sensitive data within the application's database.
An attacker with low-privileged network access can exploit the issue without user interaction to obtain administrative account takeover, resulting in high impact to confidentiality and integrity. The CVSS 3.1 score of 8.1 reflects the combination of remote exploitability and the ability to fully compromise an administrator session.
Public advisories from the GLPI project direct users to upgrade immediately to version 10.0.10 and state that no workarounds are available. The associated GitHub Security Advisory GHSA-mv2r-gpw3-g476 contains the official remediation guidance and patch details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45833
Vulnerability details
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection.…
more
This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.