Main Vulnerability Database Vulnerabilities #VU30288

#VU30288 Cross-site request forgery in GLPI - CVE-2020-11060

Published: May 12, 2020 / Updated: October 25, 2024

Vulnerability identifier: #VU30288

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-11060

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
GLPI

Software vendor:
glpi-project

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

Remediation

Update to version 9.4.6.

#VU30288 Cross-site request forgery in GLPI - CVE-2020-11060

Description

Remediation

External links

Please verify you're human