CVE-2017-5473

Name of the Vulnerable Software and Affected Versions ntopng versions prior to 2.4

Description A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of arbitrary users. This is demonstrated by exploitation of the following API endpoints: "admin/add user.lua", "admin/change user prefs.lua", "admin/delete user.lua", and "admin/password reset.lua".

Recommendations For versions prior to 2.4, update to version 2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until a patch is available.