Optilink OP-XT71000N V2.2, Firmware Version: OP_V3.3.1-191028 is vulnerable to a cross-site request forgery (CSRF) vulnerability when an unauthenticated user's session is hijacked by accessing the "wlwpa.asp" page from "https://***.***/optilink/wlwpa.asp". An attacker can exploit this vulnerability by hijacking a victim's session by tricking the victim into accessing the "wlwpa.asp" page. Optilink OP-XT71000N V2.2, Firmware Version: OP_V3.3.1-191028 is vulnerable to a cross-site request forgery (CSRF) vulnerability when an unauthenticated user's session is hijacked by accessing the "wlwpa.asp" page from "https://***.***/optilink/wlwpa.asp". An attacker can exploit this vulnerability by hijacking a victim's session by tricking the victim into accessing the "wlwpa.asp" page. Optilink OP-XT71000N V2.2, Firmware Version: OP_V3.3.1-191028 is vulnerable to a cross-site request forgery (CSRF) vulnerability when an unauthenticated user's session is hijacked by accessing the "wlwpa.asp" page from "https://***.
Summary
Optilink OP-XT71000N V2.2, Firmware Version: OP_V3.3.1-191028 is vulnerable to a cross-site request forgery (CSRF) vulnerability when an unauthenticated user's session is hijacked by accessing the "wlwpa.asp" page from "https://***.***/optilink/wlwpa.asp". An attacker can exploit this vulnerability by hijacking a victim's session by tricking the victim into accessing the "wlwpa.asp" page or if they don't have access to a specific Optilink device and they click on a malicious link embedded on a website that exploits this vulnerability and redirects them back to https://***.***/optilink/wlwpa.asp, then their session is hijacked as well which allows them to perform actions like changing settings on the Optilink device without authentication and send emails, etc., that are sent from the hijacked account.
This issue affects all versions of Optilink devices running firmware version 3.2 and below with IP address 192.168.*.*
Overview
- Optilink OP-XT71000N V2.2, Firmware Version: OP_V3.3.1-191028 is vulnerable to a cross-site request forgery (CSRF) vulnerability when an unauthenticated user's session is hijacked by accessing the "wlwpa.asp" page from "https://***.***/optilink/wlwpa.asp". An attacker can exploit this vulnerability by hijacking a victim's session by tricking the victim into accessing the "wlwpa.asp" page.- Optilink OP-XT71000N V2.2, Firmware Version: OP_V3.3.1-191028 is vulnerable to a cross-site request forgery (CSRF) vulnerability when an unauthenticated user's session is hijacked by accessing the "wlwpa.asp" page from "https://***.
Timeline
Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/23/2022 20:47:00 UTC