Last active
February 16, 2021 20:46
-
-
Save 1337MoSalah/d1d40b43eafba0bd22ee4cddecad3cbc to your computer and use it in GitHub Desktop.
Site-Wide Cross Site Request Forgery _ Nagios Core 4.2.4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Vulnerability Type] | |
> Cross Site Request Forgery (CSRF) | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> Nagios Enterprises | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> Nagios Core - 4.2.4 | |
> | |
> ------------------------------------------ | |
> | |
> | |
> | |
> [Description] | |
> Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers. | |
The vulnerability is due to insufficient CSRF protections for the web UI on an affected version. | |
An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. | |
A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |
> | |
> ------------------------------------------ | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Escalation of Privileges] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Has vendor confirmed or acknowledged the vulnerability?] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Mohamed Salah ( InSanity ) | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> http://nagios.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there a PoC for this?