FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

glpi -- weak csrf tokens

Affected packages
0.83.3 < glpi
glpi < 9.4.6

Details

VuXML ID b64edef7-3b10-11eb-af2a-080027dbe4b7
Discovery 2020-03-30
Entry 2020-03-30

MITRE Corporation reports:

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

References

CVE Name CVE-2020-11035
URL https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf
URL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/
URL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/