A request-validation issue exists in Open5GS 2.1.3 up to and including 2.2.x prior to 2.2.1. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
open5gs open5gs |