CVE-2020-12507 An attacker with access to monit tool 4.2 could access the database by injection.

CVE-2020-12507 An attacker with access to monit tool 4.2 could access the database by injection.

s::can moni::tools 4.2+ now uses a secure database connection to avoid SQL injection and other security issues.

In s::can moni::tools before version 4.2 an attacker could perform man-in-the-middle attacks via the X-Forwarded-For HTTP header. This may result in loss of integrity and hijacking the session.

s::can moni::tools 4.2+ now enforces HTTPS for secure communication. This may result in loss of integrity and hijacking the session.

s::can moni::tools before version 4.2 was vulnerable to an XSS attack due to the usage of non-standard character encodings. This may result in loss of integrity and injection of malicious code.

s::can moni::tools 4.2+ now uses the UTF-8 character encoding standard. This may result in loss of integrity and injection of malicious code.

In s::can moni::tools before version 4.2 an attacker could bypass the CSRF protection by submitting a request to the s::can moni::tools login endpoint with a crafted X-FROM header. This may result in loss of confidentiality and integrity.

s::can moni::tools 4.2+ now enforces strict CSRF protection via the X-FROM and X-TOKEN header restrictions. This may result in loss of integrity and prevention of session hijacking.

Authentication bugs s::can moni::tools 4.2+ includes a new authentication mechanism that better protects against known and unknown attack vectors.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe