Unrated severityNVD Advisory· Published May 5, 2020· Updated Aug 4, 2024

weak CSRF tokens in GLPI

CVE-2020-11035

Description

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

Affected products

Glpi Project/Glpiv5
Range: > 0.83.3, < 9.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/mitrevendor-advisoryx_refsource_FEDORA
github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpfmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000