Vulnerability CVE-2020-11060


Published: 2020-05-12

Description:
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

See advisories in our WLB2 database:
Topic
Author
Date
High
GLPI 9.4.5 Remote Code Execution
Brian Peters
04.07.2021

Type:

CWE-74

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Glpi-project -> GLPI 

 References:
https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f

Copyright 2024, cxsecurity.com

 

Back to Top