CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
59.8%
In GLPI before 9.4.6, an attacker can execute system commands by abusing
the backup functionality. Theoretically, this vulnerability can be
exploited by an attacker without a valid account by using a CSRF. Due to
the difficulty of the exploitation, the attack is only conceivable by an
account having Maintenance privileges and the right to add WIFI networks.
This is fixed in version 9.4.6.
github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c
github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f
launchpad.net/bugs/cve/CVE-2020-11060
nvd.nist.gov/vuln/detail/CVE-2020-11060
security-tracker.debian.org/tracker/CVE-2020-11060
www.cve.org/CVERecord?id=CVE-2020-11060
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
59.8%