← voltar
CVE-2020-11060

Remote Code Execution in GLPI

CVSS 7.4 HIGHEPSS 10.9%CWE-74
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Produtos afetados
glpi-project · GLPI
PoCs públicas encontradas4
githubgithub.com/0xdreadnaught/cve-2020-11060-poc8cve_referencepacketstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.htmlnão verificadoexploitdbwww.exploit-db.com/exploits/49992não verificadoexploitdbwww.exploit-db.com/exploits/51726não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.htmlhttps://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320chttps://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f