OpenCVE

A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Paessler	Prtg Network Monitor

Configuration 1 [-]

cpe:2.3:a:paessler:prtg_network_monitor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520
https://www.paessler.com/prtg/history/stable

History

Fri, 11 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-09T00:00:00

Updated: 2024-10-10T16:17:07.718Z

Reserved: 2023-04-28T00:00:00

Link: CVE-2023-31452

Vulnrichment

Updated: 2024-08-02T14:53:30.924Z

NVD

Status : Modified

Published: 2023-08-09T12:15:09.970

Modified: 2024-11-21T08:01:53.570

Link: CVE-2023-31452

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-31452", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-10T16:17:07.718Z", "dateReserved": "2023-04-28T00:00:00", "datePublished": "2023-08-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-22T11:58:51.305488"}, "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.paessler.com/prtg/history/stable"}, {"url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520"}, {"url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:53:30.924Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.paessler.com/prtg/history/stable", "tags": ["x_transferred"]}, {"url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520", "tags": ["x_transferred"]}, {"url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-10T16:16:40.638551Z", "id": "CVE-2023-31452", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T16:17:07.718Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-31452", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-10T16:17:07.718Z", "dateReserved": "2023-04-28T00:00:00", "datePublished": "2023-08-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-22T11:58:51.305488"}, "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.paessler.com/prtg/history/stable"}, {"url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520"}, {"url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:53:30.924Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.paessler.com/prtg/history/stable", "tags": ["x_transferred"]}, {"url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520", "tags": ["x_transferred"]}, {"url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-31452", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-10T16:16:40.638551Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T16:17:02.277Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paessler:prtg_network_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ED29001-6A06-457D-A606-E85C7600B6AD", "versionEndExcluding": "23.3.86.1520", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could force PRTG to execute different actions, such as creating new users. The severity of this vulnerability is high and received a score of 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, {"lang": "es", "value": "Se ha identificado un bypass de token de cross-site request forgery (CSRF) en PRTG 23.2.84.1566 y versiones anteriores que permite a atacantes remotos realizar acciones con los permisos de un usuario v\u00edctima, siempre que el usuario v\u00edctima tenga una sesi\u00f3n activa y sea inducido a lanzar la petici\u00f3n maliciosa. Esto podr\u00eda forzar a PRTG a ejecutar diferentes acciones, como la creaci\u00f3n de nuevos usuarios. La gravedad de esta vulnerabilidad es alta y ha recibido una puntuaci\u00f3n de 8,8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}], "id": "CVE-2023-31452", "lastModified": "2024-11-21T08:01:53.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-09T12:15:09.970", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520"}, {"source": "cve@mitre.org", "url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.paessler.com/prtg/history/stable"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.paessler.com/prtg/history/prtg-23#23.3.86.1520"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.paessler.com/prtg/history/stable"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}