CVE-2020-15175
published 2020-10-07CVE-2020-15175: In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted…
PriorityP268critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
71.55%
99.3th percentile
In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | < 9.5.2 | 9.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Unauthenticated File Deletion (CVE-2020-15175)"; flow:established,to_server; http.uri; content:"/front/pluginimage.send.php|3f|"; fast_pattern; content:"plugin|3d|"; content:"name|3d|"; content:"clean"; reference:url,github.com/Orange-Cyberdefense/glpwnme; reference:cve,2020-15175; classtype:web-application-attack; sid:2067152; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSEncrypt, created_at 2026_01_28, cve CVE_2020_15175, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Monitor HTTP requests to /front/pluginimage.send.php containing the query parameters 'plugin=', 'name=', and the string 'clean', which is the pattern used to trigger malicious .htaccess deletion.
- →Watch for unauthorized access to /files/ directory contents (session files, logs) following exploitation, which may indicate an attacker harvesting administrator session tokens for lateral movement. ↗
- ·The exploit is unauthenticated — no valid session or credentials are required to trigger the .htaccess deletion via the pluginimage.send.php endpoint.
- ·The Snort/Suricata rule (sid:2067152) includes deployment metadata for both plaintext (Perimeter, Internal) and TLS-decrypted traffic (SSLDecrypt, TLSEncrypt), meaning detection requires SSL inspection for encrypted traffic.
- ·The vulnerability is patched in GLPI version 9.5.2; all versions prior to 9.5.2 are affected. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GLPI Unauthenticated File Deletion (CVE-2020-15175)
suricata·2026-01-28·CVSS 7.4
CVE-2020-15175 [HIGH] ET WEB_SPECIFIC_APPS GLPI Unauthenticated File Deletion (CVE-2020-15175)
ET WEB_SPECIFIC_APPS GLPI Unauthenticated File Deletion (CVE-2020-15175)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Unauthenticated File Deletion (CVE-2020-15175)"; flow:established,to_server; http.uri; content:"/front/pluginimage.send.php|3f|"; fast_pattern; content:"plugin|3d|"; content:"name|3d|"; content:"clean"; reference:url,github.com/Orange-Cyberdefense/glpwnme; reference:cve,2020-15175; classtype:web-application-attack; sid:2067152; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSEncrypt, created_at 2026_01_28, cve CVE_2020_15175, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_A
No public exploits indexed.
Bugzilla
CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [fedora-all]
bugzilla·2020-10-08·CVSS 7.4
CVE-2020-15175 [HIGH] CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [fedora-all]
CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
Bugzilla
CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [epel-7]
bugzilla·2020-10-08·CVSS 7.4
CVE-2020-15175 [HIGH] CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [epel-7]
CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/
bugzilla·2020-10-08·CVSS 7.4
CVE-2020-15175 [HIGH] CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/
CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/
In GLPI before version 9.5.2, the `?pluginimage.send.php?` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
References:
https://github.com/glpi-project/glpi/commit/6ca9a0e77299a755c356d758344a23278df67f65
https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcp
Discuss
https://github.com/glpi-project/glpi/commit/6ca9a0e77299a755c356d758344a23278df67f65https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcphttps://github.com/glpi-project/glpi/commit/6ca9a0e77299a755c356d758344a23278df67f65https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcp
2020-10-07
Published