CVE-2020-11060

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-11060

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11060.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-11060

Downstream

UBUNTU-CVE-2020-11060

Related

GHSA-cvvq-3fww-5v6f

Published

2020-05-12T20:15:11Z

Modified

2025-07-01T23:51:33.304353Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ad748d59c94da177a3ed25111c453902396f320c

Affected versions

0.*

0.90

0.90-RC1

0.90-RC2

0.90-beta1

0.90-beta2

0.90.1

9.*

9.1

9.1-RC1

9.1-RC2

9.3-beta

9.4.0

9.4.0-beta

9.4.0-rc1

9.4.0-rc2

9.4.1

9.4.1.1

9.4.2

9.4.3

9.4.4

9.4.5