PT-2020-12326 · Openitcockpit · Openitcockpit
Dejan Zelic
·
Published
2020-03-20
·
Updated
2020-03-25
·
CVE-2020-10792
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
openITCOCKPIT versions 3.7.2 and earlier
Description
The issue allows remote attackers to configure certain options by manipulating the HTTP Host header with specific keywords. This can be achieved by placing a hostname containing
dev or staging in the header.Recommendations
For openITCOCKPIT versions 3.7.2 and earlier, as a temporary workaround, consider restricting access to configure the self::DEVELOPMENT or self::STAGING options until a patch is available. Avoid using hostnames containing
dev or staging in the HTTP Host header to minimize the risk of exploitation.Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openitcockpit