Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-11034 — Incorrect Regular Expression in Glpi

CWE-185 — Incorrect Regular Expression CWE-601 — Open Redirect6 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

58.7%

top 1.78%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Glpi-project Glpi

Timeline

PublishedMay 5

Latest updateMay 11

Description

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDglpi-project/glpi< 9.4.6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-11034: In GLPI before version 9↗2020-05-05

▶

💥Exploits & PoCs

Nuclei

GLPI <9.4.6 - Open Redirect

▶

💬Community

Bugzilla

CVE-2020-11034 glpi: bypass open redirect protection based on a regexp↗2020-05-11

▶

Bugzilla

CVE-2020-11034 glpi: bypass open redirect protection based on a regexp [fedora-all]↗2020-05-11

▶

Bugzilla

CVE-2020-11034 glpi: bypass open redirect protection based on a regexp [epel-7]↗2020-05-11

▶