CVE-2017-11567
published 2017-09-07CVE-2017-11567: Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests…
PriorityP356high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.13%
89.6th percentile
Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cesanta | mongoose_embedded_web_server_library | <= 6.8 | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2017-11567 CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922 mongoose: various flaws [epel-6]
bugzilla·2017-09-13·CVSS 8.8
CVE-2017-11567 [HIGH] CVE-2017-11567 CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922 mongoose: various flaws [epel-6]
CVE-2017-11567 CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922 mongoose: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and th
Bugzilla
CVE-2017-11567 mongoose: Cross-site request forgery via request to __mg_admin?save
bugzilla·2017-09-13·CVSS 8.8
CVE-2017-11567 [HIGH] CVE-2017-11567 mongoose: Cross-site request forgery via request to __mg_admin?save
CVE-2017-11567 mongoose: Cross-site request forgery via request to __mg_admin?save
Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely.
References:
https://www.exploit-db.com/exploits/42614/
http://seclists.org/fulldisclosure/2017/Sep/3
Discussion:
Created mongoose tracking bugs for this issue:
Affects: epel-6 [bug 1491143]
Affects: fedora-all [bug 1491144]
Bugzilla
CVE-2017-11567 CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922 mongoose: various flaws [fedora-all]
bugzilla·2017-09-13·CVSS 8.8
CVE-2017-11567 [HIGH] CVE-2017-11567 CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922 mongoose: various flaws [fedora-all]
CVE-2017-11567 CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922 mongoose: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelo
http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txthttp://seclists.org/fulldisclosure/2017/Sep/3https://www.exploit-db.com/exploits/42614/http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txthttp://seclists.org/fulldisclosure/2017/Sep/3https://www.exploit-db.com/exploits/42614/
2017-09-07
Published