CVE-2020-15046
published 2020-06-24CVE-2020-15046: The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF…
PriorityP358high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.30%
81.1th percentile
The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. The fixed versions are BIOS 3.2 and firmware 03.88.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| supermicro | x10drh-it_bios | — | — |
| supermicro | x10drh-it_firmware | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
exploitdb·2020-07-15·CVSS 8.8
CVE-2020-15046 [HIGH] SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
---
# Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Metin Yunus Kandemir
# Date: 2020-07-15
# Vendor Homepage: https://www.supermicro.com/
# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
# CVE: CVE-2020-15046
# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
# Description:
# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users.
# The fixed versions are BIOS 3.2 and firmware 03.88.
# PoC :
history.pushState('', '', '/')
Exploit-DB
SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
exploitdb·2020-07-08·CVSS 8.8
CVE-2020-15046 [HIGH] SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
---
# Exploit Title: SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.supermicro.com/
# Software Link: https://www.supermicro.com/en/solutions/management-software/bmc-resources
# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
# CVE: CVE-2020-15046
# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
# Description:
# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and
# IPMI firmware 03.40
# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to
add new admin users.
# The fixed versions are BIOS 3.2 and firmware 03.88.
# PoC :
history.pu
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158373/SuperMicro-IPMI-03.40-Cross-Site-Request-Forgery.htmlhttps://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgeryhttp://packetstormsecurity.com/files/158373/SuperMicro-IPMI-03.40-Cross-Site-Request-Forgery.htmlhttps://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
2020-06-24
Published