Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33621: CVE-2023-33621: GL.iNET Auth Token in GET Query String

GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or access logs, potentially allowing attackers to bypass authentication via session replay.

CVE
Open in Source
#vulnerability#web#apple#auth

Justin Applegate

CVE-2023-33621: GL.iNET Auth Token in GET Query String

  • CVSS Score - 5.3, Medium (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
  • Overview - When the OpenVPN server config is exported through the web GUI, the admin authentication token is passed through a GET parameter instead of the Authorization HTTP header, meaning the token is more visible and has a greater chance of being stolen.
  • Description - Including sensitive tokens in the query string of GET requests can be a vulnerability (link1, link2, link3) since query strings are visible in various ways. For example, query strings are logged in web requests and proxies, can show up in browser history, and even in Referer headers when a third party is visited afterwards. The API is set to accept tokens through the Authorization header, POST parameters, or GET parameters. Most of the requests made to the API put the token in the Authorization header except for this one.

Fix

This was fixed in version 3.216.

PoC

Theme Pure | Powered by Hexo and Cookies I take no responsibility for anything on this site because that’s too much work

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE