cbcvebase.
CVE-2020-11034
published 2020-05-05

CVE-2020-11034: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in…

PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
7.61%
93.8th percentile
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

Affected

1 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi< 9.4.69.4.6

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?redirect=/\/interact.sh/
url/index.php?redirect=//interact.sh
regex(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$
  • Probe the GLPI login endpoint with a double-slash or backslash-prefixed redirect parameter to bypass the regexp-based open redirect protection; a vulnerable instance will issue a Location header pointing to the external host.
  • Match the HTTP response Location header against the regex to confirm exploitation; the bypass relies on the regexp failing to catch slash-prefixed or backslash-prefixed redirect values.
  • Fingerprint GLPI instances via Shodan/FOFA using the page title or favicon hash before probing for the vulnerability.
  • The vulnerability is classified under CWE-185 (Incorrect Regular Expression) — detection should focus on regexp-bypass payloads using double-slash (`//`) or backslash-slash (`\/`) prefixes in the `redirect` parameter.
  • ·The Nuclei template requires exactly 2 HTTP requests (one per bypass payload); both paths target the same `index.php?redirect=` parameter but use different bypass syntaxes (`/\/` vs `//`).
  • ·Only GLPI versions strictly before 9.4.6 are vulnerable; version 9.4.6 patches the regexp.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.