perfSONAR - v4.x < = v4.4.5 - Partial Blind CSRF

CVE Category Price Severity
CVE-2022-41413 $Unknown Unknown
Author Risk Exploitation Type Date
Unknown Unknown Unknown 2022-12-01
Our sensors found this exploit at:

Below is a copy:

perfSONAR - v4.x <= v4.4.5 - Partial Blind CSRF

Vendor: perfSONAR
Affected Versions: v4.x <= v4.4.5
Vulnerability Type: Partial Blind CSRF
Discovered by: Ryan Moore
CVE: CVE-2022-41413

A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.

This vulnerability was patched in perfSONAR v4.4.6.

Proof of Concept


Here are two examples of this vulnerability. For further details, review the Technical Overview section below.

Example 1:

Client browser connects to in the background.

Example 2:

Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.