PT-2020-12521 · Teclib+1 · Glpi+1

Published

2020-05-12

Updated

2021-11-04

CVE-2020-11060

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.4.6

Description The issue allows an attacker to execute system commands by abusing the backup functionality. This can be exploited by an account with Maintenance privileges and the right to add WIFI networks. Theoretically, it can also be exploited by an attacker without a valid account using a CSRF, although the difficulty of exploitation makes it more conceivable with certain privileges.

Recommendations For versions prior to 9.4.6, update to version 9.4.6 to resolve the issue. As a temporary workaround, consider restricting access to the backup functionality and limiting Maintenance privileges to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-352

Related Identifiers

ALT-PU-2020-2358

ALT-PU-2020-2455

CVE-2020-11060

GHSA-CVVQ-3FWW-5V6F

Affected Products

Alt Linux

Glpi

PT-2020-12521 · Teclib+1 · Glpi+1

CVE-2020-11060

Weakness Enumeration

Related Identifiers

Affected Products

References · 18