CVE-2020-11035

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-11035

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11035.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-11035

Related

GHSA-w7q8-58qp-vmpf
MGASA-2020-0220
UBUNTU-CVE-2020-11035

Published

2020-05-05T22:15:12Z

Modified

2024-11-21T04:56:38Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS Calculator

Summary

[none]

Details

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

367fcbb8330a2dcca07bf3eff723b3dd58c75f32

Fixed

7fbee4f15b37c98f6f2078bd10634ef02b5edc25