CVE-2023-35940 : What You Need to Know
Learn about CVE-2023-35940 affecting GLPI software, allowing unauthorized access to sensitive dashboard data. Find mitigation steps and update details here.
GLPI vulnerable to unauthenticated access to Dashboard data.
Understanding CVE-2023-35940
GLPI is a free asset and IT management software package. An incorrect rights check vulnerability in versions prior to 10.0.8 allows unauthenticated access to dashboard data. Version 10.0.8 addresses this issue.
What is CVE-2023-35940?
CVE-2023-35940 identifies a vulnerability in GLPI that permits unauthenticated users to access dashboard data due to an improper rights check.
The Impact of CVE-2023-35940
The vulnerability poses a high severity risk with a CVSS base score of 7.5 (High). Attackers can gain unauthorized access to sensitive dashboard information, compromising confidentiality.
Technical Details of CVE-2023-35940
The vulnerability results from improper access control and authentication in GLPI versions prior to 10.0.8.
Vulnerability Description
An incorrect rights check on a file in GLPI versions < 10.0.8 allows unauthenticated users to access dashboard data, potentially exposing sensitive information.
Affected Systems and Versions
- Vendor: glpi-project
- Product: glpi
- Affected Versions: >= 9.5.0, < 10.0.8
Exploitation Mechanism
Attackers can exploit this vulnerability remotely with low attack complexity, requiring no user interaction.
Mitigation and Prevention
To address CVE-2023-35940, immediate actions and long-term security practices are recommended.
Immediate Steps to Take
- Update to version 10.0.8 of GLPI to apply the necessary patch that mitigates the vulnerability.
Long-Term Security Practices
- Regularly monitor and update software to ensure the latest security patches are installed to prevent exploitation of known vulnerabilities.
Patching and Updates
- Stay informed about security advisories from GLPI and apply patches promptly to protect systems from potential threats.