Vulnerability Description
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 0.83.3, < 9.4.6 |
| Fedoraproject | Fedora | 31 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpfTechnical Description
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpfTechnical Description
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2020-11035?
CVE-2020-11035 is a vulnerability with a CVSS score of 7.5 (HIGH). In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. ...
How severe is CVE-2020-11035?
CVE-2020-11035 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11035?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi, Fedoraproject Fedora.