Lucene search

INCIBECVELIST:CVE-2022-3372

HistoryJun 21, 2023 - 12:47 p.m.

CVE-2022-3372 Cross-Site Request Forgery (CSRF) in Riello UPS Netman-204

2023-06-2112:47:01

CWE-352

INCIBE

www.cve.org

cve-2022-3372

cross-site request forgery

netman-204

remote attacker

administrator panel

critical parameters

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

34.4%

JSON

There is a CSRF vulnerability on Netman-204 version 02.05. An attacker could manage to change administrator passwords through a Cross Site Request Forgery due to the lack of proper validation on the CRSF token. This vulnerability could allow a remote attacker to access the administrator panel, being able to modify different parameters that are critical for industrial operations.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Netman-204",
    "vendor": "Riello UPS",
    "versions": [
      {
        "status": "affected",
        "version": "02.05"
      }
    ]
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso-sci/cross-site-request-forgery-csrf-riello-ups-netman-204

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

34.4%

JSON

Related for CVELIST:CVE-2022-3372