Ubiquiti Networks: CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection

ID H1:240098
Type hackerone
Reporter hacknroll
Modified 2017-11-24T11:28:25


EdgeOS version 1.9.1 and prior, the researcher was able to bypass the CSRF protection. An attacker with access to an operator (read-only) account, can lure an admin (root) user to access the attacker controlled page, doing so will allow the attacker to gain admin privileges in the system.