CVE-2020-11060

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

04 Nov 2021, 17:53

Type Values Removed Values Added
CWE CWE-74 CWE-352
References (MISC) http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.html - (MISC) http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.html - Third Party Advisory, VDB Entry

14 Jun 2021, 18:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.html -

Information

Published : 2020-05-12 20:15

Updated : 2024-02-04 21:00


NVD link : CVE-2020-11060

Mitre link : CVE-2020-11060

CVE.ORG link : CVE-2020-11060


JSON object : View

Products Affected

glpi-project

  • glpi
CWE
CWE-352

Cross-Site Request Forgery (CSRF)

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')