CVE-2020-37078 – i-doit CMDB Arbitrary File Deletion Vulnerability
“A simple parameter manipulation can let an attacker quietly erase files from the CMDB server and undermine the integrity of the entire asset database.”
A high-severity vulnerability in i-doit Open Source CMDB 1.14.1, tracked as CVE-2020-37078, allows authenticated attackers to delete arbitrary files on the server. The issue exists in the import module, where the application fails to properly validate the delete_import parameter. By sending a crafted POST request with a manipulated filename, an attacker can instruct the system to delete files from the underlying filesystem.
The vulnerability carries a CVSS v3.1 score of 8.8 (High). It can be exploited over the network with low privileges and no user interaction, meaning an attacker who has limited authenticated access to the platform can still cause significant damage. Successful exploitation may result in deletion of application files, logs, or configuration data, which can disrupt CMDB operations, compromise data integrity, or destabilize the server environment.
Public exploit code has been published demonstrating how the vulnerability can be triggered through the import interface. This increases the practical risk for exposed or poorly secured deployments of i-doit CMDB.