This can be leveraged to bypass authentication and obtain sensitive information such as user names, email addresses, and other login details.
Both of these vulnerabilities have been patched in NPS v0.26.10.
In addition to these security issues, NPS before v0.26.10 also had a privilege escalation vulnerability via the Enforce/Allowed_Products setting. It is possible for a low-privilege user to elevate their permissions to root by changing the Enforce/Allowed_Products setting.
NPS before v0.26.10 also had a cross-site request forgery (CSRF) vulnerability that could be exploited by an attacker to compromise the account of another user.
These issues have been patched in NPS v0.26.10. However, it is always a good idea to update to the latest version of an application as soon as possible.
Check installed version of NPS
NPS before v0.26.10 has multiple vulnerabilities that need to be patched. It is recommended to update to the latest version of NPS, which patched both these vulnerabilities in v0.26.10.
NPS Vulnerability FAQs
Q: What is a stored XSS vulnerability?
Q: What is privilege escalation?
Privilege escalation occurs when low-privileged accounts have permissions that should be reserved for higher-privileged accounts. For example, a low-privilege user has permission to read their own account settings, but they shouldn’t have permission to change those settings because they are not allowed access to the settings of other users or groups of users. It is possible for a low-privilege user to elevate their permissions to root by changing the Enforce/Allowed_Products setting without having any privileged account rights that would normally confer that level of access on them.
NPS before v0.26.10 also had a privilege escalation vulnerability via the Enforce/Allowed_Products setting which could allow an attacker with low privileges to elevate their privileges indefinitely until they ran out of available products for which
Published on: 10/06/2022 22:15:00 UTC
Last modified on: 10/13/2022 13:36:00 UTC