La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2021-29660

CVE-2021-29660 – Softing AG OPC Toolbox

Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NISThttps://nvd.nist.gov/vuln/detail/CVE-2021-29660
CVSv3: 8.8
Severity: High
Credits
: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli

A Cross-Site Request Forgery (CSRF) vulnerability in Softing AG OPC Toolbox version 4.10.1.13035 and earlier allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.

CVE-2021-29660-1

Create and serve a web page containing the following HTML code shown on the left.

Figure 1: HTML code for CSRF victim

Click here to enlarge the image

CVE-2021-29660-2

The authenticated administrator browses the page configured by the attacker. The password reset request is made to the web application, using the admin's browsing session.

Figure 2: The page is served on the attacker system and requested by the victim

Click here to enlarge the image

CVE-2021-29660-3

The password of the "Administrator" user is reset successfully

Figure 3: CSRF password reset request executed successfully

Click here to enlarge the image