CVE-2020-11060 · CVEKit

cve.orgen

391 chars

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

NVDen

391 chars

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

NVDes

453 chars

En GLPI versiones anteriores a 9.4.6, un atacante puede ejecutar comandos del sistema al abusar de la funcionalidad backup. Teóricamente, esta vulnerabilidad puede ser explotada por un atacante sin una cuenta válida mediante el uso de un ataque de tipo CSRF. Debido a la dificultad de la explotación, el ataque solo es concebible por una cuenta que tenga privilegios Maintenance y el derecho de agregar redes WIFI. Esto es corregido en la versión 9.4.6.

CVSS metrics across sources

4

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	9.0	8.0	10.0	AV:N/AC:L/Au:S/C:C/I:C/A:C
3.1	Primary	NVD	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H