Cross-site request forgery in DD-WRT - CVE-2012-6297
Published: November 16, 2016
Vulnerability identifier: #VU1182
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2012-6297
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: dd-wrt.com
Affected software:
DD-WRT
DD-WRT
Detailed vulnerability description
A remote attacker can perform CSRF attacks.
The vulnerability exists due to improper validation of HTTP request origin when performing certain actions over router’s web interface. A remote unauthenticated attacker can create a specially crafted web page, trick the victim to visit that webpage and execute arbitrary commands on vulnerable device.
Successful exploitation of this vulnerability may allow to compromise vulnerable device, but requires that the victim is logged-in to the device.
How to mitigate CVE-2012-6297
Update your router to the latest firmware version.