CVE-2020-37078
Published: 03 February 2026
Summary
CVE-2020-37078 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-37078 is a file deletion vulnerability in the import module of i-doit Open Source CMDB version 1.14.1. It enables authenticated attackers to delete arbitrary files from the server's filesystem by manipulating the delete_import parameter in a POST request to the import module, using a crafted filename. The issue is classified under CWE-73 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction. By sending a specially crafted POST request, the attacker can target and remove any file accessible to the web server process, potentially leading to high impacts on confidentiality, integrity, and availability, such as disrupting critical CMDB operations or enabling further compromise through file system manipulation.
Advisories and related resources, including those from VulnCheck and an Exploit-DB proof-of-concept (ID 48427), document the vulnerability, while official i-doit sites provide project details. No specific patch or mitigation steps are detailed in the available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30996
Vulnerability details
i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted…
more
filename to remove files from the server's filesystem.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct arbitrary file deletion capability maps precisely to File Deletion sub-technique under Indicator Removal.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the delete_import parameter to block crafted filenames enabling arbitrary file deletion in the import module.
Enforces approved access authorizations to prevent authenticated low-privilege users from deleting arbitrary files accessible to the web server process.
Restricts and authorizes access to change operations like file deletions performed via the import module.