CSRF in Openvpn Openvpn_access_server

CVE-2014-9104

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disc…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.002 (46.5th percentile) — read the EPSS interpretation.

Affected products

Openvpn Openvpn_access_server
N/a — versions n/a

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

20140716 SEC Consult SA-20140716-1 :: Remote Code Execution via CSRF in OpenVPN Access Server "Desktop Client" (mailing-list, x_refsource_BUGTRAQ)
20140716 SEC Consult SA-20140716-1 :: Remote Code Execution via CSRF in OpenVPN Access Server "Desktop Client" (mailing-list, Exploit, x_refsource_FULLDISC)
cve@mitre.org (Exploit, x_refsource_MISC)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
cve@mitre.org (Exploit, x_refsource_MISC)