CVE-2015-4119

Name of the Vulnerable Software and Affected Versions ISPConfig versions prior to 3.0.5.4p7

Description The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of administrators for requests that create an administrator account via a request to "admin/users edit.php". Additionally, they can hijack the authentication of arbitrary users for requests that conduct SQL injection attacks via the server parameter to "monitor/show sys state.php".

Recommendations For versions prior to 3.0.5.4p7, update to version 3.0.5.4p7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/users edit.php" and "monitor/show sys state.php" endpoints to minimize the risk of exploitation. Avoid using the server parameter in the affected "monitor/show sys state.php" endpoint until the issue is resolved.