CVE-2019-14526

Опубликовано: 14 авг. 2019

Источник: nvd

CVSS3: 8.1

CVSS2: 5.8

EPSS Низкий

Описание

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. The web-interface Cross-Site Request Forgery token is stored in a dynamically generated JavaScript file, and therefore can be embedded in third party pages, and re-used against the Nighthawk web interface. This entirely bypasses the intended security benefits of the use of a CSRF-protection token.

Ссылки

https://www.pentestpartners.com/security-blog/how-not-to-do-cross-site-request-forgery-protection-the-netgear-nighthawk-m1/
Exploit
Third Party Advisory
https://www.pentestpartners.com/security-blog/how-not-to-do-cross-site-request-forgery-protection-the-netgear-nighthawk-m1/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:netgear:mr1100_firmware:*:*:*:*:*:*:*:*

Версия до 12.06.03 (исключая)

cpe:2.3:h:netgear:mr1100:-:*:*:*:*:*:*:*

EPSS

Процентиль: 37%

0.00157

Низкий

8.1 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-76g9-9frm-pxr6