CVE-2023-31452

Опубликовано: 09 авг. 2023

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Ссылки

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:paessler:prtg_network_monitor:*:*:*:*:*:*:*:*

Версия до 23.3.86.1520 (исключая)

EPSS

Процентиль: 78%

0.01129

Низкий

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-jmqg-4j8j-7728

CVSS3: 6.5

github

больше 2 лет назад

An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 x64. The NetApp Volume Sensor transmits cleartext credentials over the network when the HTTP protocol is selected. This can be triggered remotely via a CSRF by simply sending a controls/addsensor3.htm link to a logged-in victim.