Main Vulnerability Database Vulnerabilities #VU30288

Cross-site request forgery in GLPI - CVE-2020-11060

Published: May 12, 2020 / Updated: October 25, 2024

Vulnerability identifier: #VU30288

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-11060

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: glpi-project

Affected software:
GLPI

Detailed vulnerability description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

How to mitigate CVE-2020-11060

Update to version 9.4.6.

Cross-site request forgery in GLPI - CVE-2020-11060

Detailed vulnerability description

How to mitigate CVE-2020-11060

Sources

Please verify you're human