Main Vulnerability Database Exploits ID:10692 - Exploit for Cross-site request forgery in GLPI - CVE-2020-11060

ID:10692 - Exploit for Cross-site request forgery in GLPI - CVE-2020-11060

Published: October 25, 2024

Vulnerability identifier: #VU30288

Vulnerability risk: Medium

CVE-ID: CVE-2020-11060

CWE-ID: CWE-352

Exploitation vector: Remote access

Vulnerable software:
GLPI

Link to public exploit:

https://www.exploit-db.com/exploits/51726/

Vulnerability description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

Remediation

Update to version 9.4.6.

ID:10692 - Exploit for Cross-site request forgery in GLPI - CVE-2020-11060

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human