SB2020051277 - Multiple vulnerabilities in glpi-project GLPI
Published: May 12, 2020 Updated: November 14, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2020-11060)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
2) Cross-site scripting (CVE-ID: CVE-2020-11062)
The vulnerability allows a remote authenticated user to read and manipulate data.
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
3) Use of hard-coded credentials (CVE-ID: CVE-2020-5248)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
Remediation
Install update from vendor's website.
References
- https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c
- https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f
- https://github.com/glpi-project/glpi/commit/5e1c52c5e8a30ceb4e9572964da7ed89ddfb1aaf
- https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h
- https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6c
- https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9