Kaspersky Lab Advisory
(KL-MOXA-2018-106) Cross-Site Request Forgery
Affected Hardware/Software
Moxa OnCell G3100-HSPA Series Firmware version 1.4 Build 16062919 and prior
Severity level
- Impact: Attacker can impersonate administrative actions via web interface
- Access Vector: Remote
- CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Overall CVSS Score: 8.8
- CVE ID: CVE-2018-11427
- CWE ID: 352
Hardware/Software description
Moxa OnCell G3100-HSPA Series devices are industrial five-band HSPA high speed IP gateways with VPN functionality
Vulnerability description
CSRF tokens are not used in the web application of OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.
Mitigation
Apply firmware patch from vendor.
Credits
Vulnerability was discovered by Eugenie Potseluevskaya (Kaspersky Lab).