{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2021-47702", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-12-05T19:10:29.045Z", "datePublished": "2025-12-09T20:35:59.643Z", "dateUpdated": "2025-12-09T21:32:16.371Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenBMCS", "vendor": "OPEN BMCS", "versions": [{"status": "affected", "version": "2.4"}]}], "credits": [{"lang": "en", "type": "finder", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.</p>"}], "value": "OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-12-09T20:35:59.643Z"}, "references": [{"name": "ExploitDB-50667", "tags": ["exploit"], "url": "https://www.exploit-db.com/exploits/50667"}, {"name": "Official Product Homepage", "tags": ["product"], "url": "https://www.openbmcs.com"}, {"name": "Zero Science Lab Disclosure (ZSL-2022-5691)", "tags": ["third-party-advisory"], "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php"}, {"name": "VulnCheck Advisory: OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openbmcs-cross-site-request-forgery-csrf-via-sendfeedbackphp"}], "source": {"discovery": "UNKNOWN"}, "title": "OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php", "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-09T21:32:06.507271Z", "id": "CVE-2021-47702", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T21:32:16.371Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47702", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-09T21:32:06.507271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T21:32:11.583Z"}}], "cna": {"title": "OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OPEN BMCS", "product": "OpenBMCS", "versions": [{"status": "affected", "version": "2.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.exploit-db.com/exploits/50667", "name": "ExploitDB-50667", "tags": ["exploit"]}, {"url": "https://www.openbmcs.com", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php", "name": "Zero Science Lab Disclosure (ZSL-2022-5691)", "tags": ["third-party-advisory"]}, {"url": "https://www.vulncheck.com/advisories/openbmcs-cross-site-request-forgery-csrf-via-sendfeedbackphp", "name": "VulnCheck Advisory: OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.", "supportingMedia": [{"type": "text/html", "value": "<p>OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-12-09T20:35:59.643Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47702", "state": "PUBLISHED", "dateUpdated": "2025-12-09T21:32:16.371Z", "dateReserved": "2025-12-05T19:10:29.045Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-12-09T20:35:59.643Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings."}], "id": "CVE-2021-47702", "lastModified": "2025-12-12T15:19:07.567", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-12-09T21:15:48.890", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/50667"}, {"source": "disclosure@vulncheck.com", "url": "https://www.openbmcs.com"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/openbmcs-cross-site-request-forgery-csrf-via-sendfeedbackphp"}, {"source": "disclosure@vulncheck.com", "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"created": "2025-12-10T21:33:29.194383+00:00", "updated": "2025-12-10T21:33:29.194419+00:00", "vendors": ["openbmcs", "openbmcs$PRODUCT$openbmcs"]}