CVE-2014-9104 — Cross-Site Request Forgery in Access Server

CWE-352 — Cross-Site Request Forgery2 documents2 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 53.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openvpn Access Server

Timeline

PublishedNov 26

Latest updateMay 14

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDopenvpn/openvpn_access_server1.5.6

🔴Vulnerability Details

GHSA

GHSA-93r2-34ph-r52j: Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1↗2022-05-14

▶