Skip to content

Instantly share code, notes, and snippets.

@MoSalah20

MoSalah20/CVE-2020-35269

Last active Feb 16, 2021
Embed
What would you like to do?
Site-Wide Cross Site Request Forgery _ Nagios Core 4.2.4
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Vendor of Product]
> Nagios Enterprises
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Nagios Core - 4.2.4
>
> ------------------------------------------
>
>
>
> [Description]
> Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers.
The vulnerability is due to insufficient CSRF protections for the web UI on an affected version.
An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link.
A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.
>
> ------------------------------------------
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Mohamed Salah ( InSanity )
>
> ------------------------------------------
>
> [Reference]
> http://nagios.com
@h3xx

This comment has been minimized.

Copy link

@h3xx h3xx commented Feb 16, 2021

Is there a PoC for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment