Main Vulnerability Database Vulnerabilities #VU27566

#VU27566 Cross-site request forgery in GLPI - CVE-2020-11035

Published: May 6, 2020

Vulnerability identifier: #VU27566

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-11035

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GLPI

Software vendor:
glpi-project

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin when the implementation uses rand and uniqid and MD5 which does not provide secure values. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Install update from vendor's website.

External links

https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf

#VU27566 Cross-site request forgery in GLPI - CVE-2020-11035

Description

Remediation

External links

Please verify you're human