← Voltar para CVEs
CVE-2020-11060
HIGH7.4
Descricao
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
Detalhes CVE
Pontuacao CVSS v3.17.4
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado5/12/2020
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
glpi-project:glpi
Fraquezas (CWE)
CWE-74CWE-352
Referencias
http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.html(security-advisories@github.com)
https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c(security-advisories@github.com)
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f(security-advisories@github.com)
http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.