Published: 07/09/2017 Updated: 18/09/2017

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 685

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server prior to 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely.

Vendor	Product	Versions
Cesanta	Mongoose Embedded Web Server Library	6.8

[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinxaltervistaorg [+] Source: hyp3rlinxaltervistaorg/advisories/MONGOOSE-WEB-SERVER-v65-CSRF-COMMAND-EXECUTIONtxt [+] ISR: apparitionSec Vendor: =============== wwwcesantacom Product: ================== Mongoose Web Server (Free Edition) Mongoose-free-65exe ...

Mongoose Web Server version 65 suffers from cross site request forgery and remote command execution vulnerabilities ...

CWE-352 http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt http://seclists.org/fulldisclosure/2017/Sep/3 https://www.exploit-db.com/exploits/42614/https://www.securityfocus.com/bid/100830 https://nvd.nist.gov https://www.exploit-db.com/exploits/42614/

CVE-2017-11567

Vulnerability Summary

Affected Products

Exploits

Mailing Lists

References