Main Vulnerability Database SB2013102801

SB2013102801 - CSRF in DD-WRT firmware

Published: October 28, 2013

Security Bulletin ID SB2013102801

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site request forgery (CVE-ID: CVE-2012-6297)

A remote attacker can perform CSRF attacks.

The vulnerability exists due to improper validation of HTTP request origin when performing certain actions over router’s web interface. A remote unauthenticated attacker can create a specially crafted web page, trick the victim to visit that webpage and execute arbitrary commands on vulnerable device.

Successful exploitation of this vulnerability may allow to compromise vulnerable device, but requires that the victim is logged-in to the device.

Remediation

Install update from vendor's website.

References

http://seclists.org/fulldisclosure/2013/Oct/241