exploitDog

CVE-2020-23585

Опубликовано: 23 нояб. 2022

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

A remote attacker can conduct a cross-site request forgery (CSRF) attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgm_config_file.asp" because of which attacker can create a crafted "csrf form" which sends " malicious xml data" to "/boaform/admin/formMgmConfigUpload". the exploit allows attacker to "gain full privileges" and to "fully compromise of router & network".

Ссылки

https://github.com/huzaifahussain98/CVE-2020-23585
Third Party Advisory
https://github.com/huzaifahussain98/CVE-2020-23585
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:optilinknetwork:op-xt71000n_firmware:3.3.1-191028:*:*:*:*:*:*:*

cpe:2.3:h:optilinknetwork:op-xt71000n:2.2:*:*:*:*:*:*:*

EPSS

Процентиль: 44%

0.00214

Низкий

8.8 High

CVSS3

Дефекты

CWE-352

CWE-352

Связанные уязвимости

GHSA-9mvm-3jhf-4g7g

CVSS3: 8.8

github

около 3 лет назад

A remote attacker can conduct a cross-site request forgery (CSRF) attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgm_config_file.asp" because of which attacker can create a crafted "csrf form" which sends " malicious xml data" to "/boaform/admin/formMgmConfigUpload". the exploit allows attacker to "gain full privileges" and to "fully compromise of router & network".

EPSS

Процентиль: 44%

0.00214

Низкий

8.8 High

CVSS3

Дефекты

CWE-352

CWE-352