CVE-2023-31452

A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520	Vendor Advisory
https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520
https://www.paessler.com/prtg/history/stable	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:paessler:prtg_network_monitor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-09 12:15

Updated : 2023-08-22 19:16

NVD link : CVE-2023-31452

Mitre link : CVE-2023-31452

CVE.ORG link : CVE-2023-31452

JSON object : View

Products Affected

paessler

prtg_network_monitor

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2023-31452", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-08-09T12:15:09.970", "references": [{"url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520", "source": "cve@mitre.org"}, {"url": "https://www.paessler.com/prtg/history/stable", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, {"lang": "es", "value": "Se ha identificado un bypass de token de cross-site request forgery (CSRF) en PRTG 23.2.84.1566 y versiones anteriores que permite a atacantes remotos realizar acciones con los permisos de un usuario v\u00edctima, siempre que el usuario v\u00edctima tenga una sesi\u00f3n activa y sea inducido a lanzar la petici\u00f3n maliciosa. Esto podr\u00eda forzar a PRTG a ejecutar diferentes acciones, como la creaci\u00f3n de nuevos usuarios. La gravedad de esta vulnerabilidad es alta y ha recibido una puntuaci\u00f3n de 8,8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}], "lastModified": "2023-08-22T19:16:36.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:paessler:prtg_network_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8ED29001-6A06-457D-A606-E85C7600B6AD", "versionEndExcluding": "23.3.86.1520"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}