Published: 07/09/2017 Updated: 18/09/2017
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 685
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server prior to 6.9 allows remote malicious users to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely.

Affected Products

Vendor Product Versions
CesantaMongoose Embedded Web Server Library6.8


[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinxaltervistaorg [+] Source: hyp3rlinxaltervistaorg/advisories/MONGOOSE-WEB-SERVER-v65-CSRF-COMMAND-EXECUTIONtxt [+] ISR: apparitionSec Vendor: =============== wwwcesantacom Product: ================== Mongoose Web Server (Free Edition) Mongoose-free-65exe ...

Mailing Lists

Mongoose Web Server version 65 suffers from cross site request forgery and remote command execution vulnerabilities ...