VDB
CVE-2020-11060
CVE-2020-11060
PUBLISHED
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
EPSS 7.01% · 91.6th percentile
Risk Scores
EPSS Score
7.01%
91.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | glpi | 0, 0.84.8+dfsg.1-1, 0.84.8+dfsg.1-1ubuntu1 |
Exploit Intelligence
- Python3 POC for CVE 2020-11060 (github-poc-repo)
- Python3 POC for CVE 2020-11060 (github-poc-repo)
- Python3 POC for CVE 2020-11060 (github-poc-repo)
- Python3 POC for CVE 2020-11060 (github-poc-repo)
- Python3 POC for CVE 2020-11060 (github-poc-repo)
- Python3 POC for CVE 2020-11060 (github-poc)
- Python3 POC for CVE 2020-11060 (github-poc)
- Python3 POC for CVE 2020-11060 (github-poc)
- Python3 POC for CVE 2020-11060 (github-poc)
- Python3 POC for CVE 2020-11060 (github-poc)
…and 8 more exploits
Timeline
- May 12, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 14, 2021 PoC Published
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 15, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 15, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-11060 third-party-advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f third-party-advisory
- https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-11060 third-party-advisory