8.8 High
AI Score
Confidence
Low
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.2%
Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests.
CPE | Name | Operator | Version |
---|---|---|---|
openvpn:openvpn_access_server | openvpn openvpn access server | le | 1.5.6 |
openvpn.net/index.php/access-server/security-advisories.html
seclists.org/fulldisclosure/2014/Jul/76
www.securityfocus.com/archive/1/532795/100/0/threaded
www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-1_OpenVPN_Access_Server_Desktop_Client_Remote_Code_Execution_via_CSRF_v10.txt
www.youtube.com/watch?v=qhgysgfvQh8