Vulnerability Description
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 9.4.6 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.htmThird Party AdvisoryVDB Entry
- https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396fPatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6fPatchThird Party Advisory
- http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.htmThird Party AdvisoryVDB Entry
- https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396fPatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6fPatchThird Party Advisory
FAQ
What is CVE-2020-11060?
CVE-2020-11060 is a vulnerability with a CVSS score of 7.4 (HIGH). In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a ...
How severe is CVE-2020-11060?
CVE-2020-11060 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11060?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.