Skip to content

weak csrf tokens

Moderate
trasher published GHSA-w7q8-58qp-vmpf May 5, 2020

Package

glpi-project/glpi

Affected versions

> 0.83.3

Patched versions

9.4.6

Description

The CSRK tokens are weakly generated:

$CURRENTCSRFTOKEN = md5(uniqid(rand(), true));
. rand and uniqid and of course MD5 do not provide secure values.

Impact

All GLPI versions since 0.83.3

Patches

Fixed in 039c184

Reference

https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2020-11035

Weaknesses

No CWEs