CVE-2022-23475

Name of the Vulnerable Software and Affected Versions daloRADIUS versions 1.3 and prior

Description daloRADIUS is an open source RADIUS web management application. It is vulnerable to a combination of cross site scripting (XSS) and cross site request forgery (CSRF) vulnerabilities, which can lead to account takeover in the mng-del.php file due to an unescaped variable reflected in the DOM on line 116.

Recommendations For daloRADIUS versions 1.3 and prior, users are advised to manually apply the commit ec3b4a419e to mitigate this issue. As a temporary workaround, consider mitigating the CSRF vulnerability by making the daloRADIUS session cookie samesite=Lax or by implementing a CSRF token in all forms. Additionally, the XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.