PT-2019-8615 · Securifi · Securifi Almond+2

Mandar Satam

Published

2019-06-18

Updated

2019-06-21

CVE-2017-8328

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096

Description The issue concerns the lack of cross-site request forgery protection on the web management interface, allowing an attacker to trick a logged-in user into changing a user's password. This is described as a systemic issue.

Recommendations For Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096, consider disabling the password change functionality for the web management interface until a patch is available. Restrict access to the web management interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-8328

Affected Products

Almond 2015

Almond+

Securifi Almond

PT-2019-8615 · Securifi · Securifi Almond+2

CVE-2017-8328

Weakness Enumeration

Related Identifiers

Affected Products

References · 6