Skip to content

Instantly share code, notes, and snippets.

@1337MoSalah

1337MoSalah/CVE-2020-35269

Last active February 16, 2021 20:46
Show Gist options
  • Save 1337MoSalah/d1d40b43eafba0bd22ee4cddecad3cbc to your computer and use it in GitHub Desktop.
Save 1337MoSalah/d1d40b43eafba0bd22ee4cddecad3cbc to your computer and use it in GitHub Desktop.
Download ZIP
Site-Wide Cross Site Request Forgery _ Nagios Core 4.2.4
Raw
CVE-2020-35269
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Vendor of Product]
> Nagios Enterprises
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Nagios Core - 4.2.4
>
> ------------------------------------------
>
>
>
> [Description]
> Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers.
The vulnerability is due to insufficient CSRF protections for the web UI on an affected version.
An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link.
A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.
>
> ------------------------------------------
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Mohamed Salah ( InSanity )
>
> ------------------------------------------
>
> [Reference]
> http://nagios.com
@h3xx
Copy link

h3xx commented Feb 16, 2021

Is there a PoC for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment