CVE-2021-47702 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in OpenBMCS versions 2.4–2.4. This flaw allows an attacker to execute unauthorized actions with administrative privileges by crafting malicious requests targeting the sendFeedback.php endpoint. Successful exploitation could lead to unintended system modifications or sensitive data exposure, impacting the integrity and confidentiality of the OpenBMCS environment.
The CSRF vulnerability in OpenBMCS 2.4 poses a significant risk because it allows attackers to masquerade as an authenticated administrator. By tricking a legitimate user into clicking a malicious link or visiting a crafted webpage, an attacker can initiate actions as if they were the administrator. This could include sending unauthorized emails, modifying system settings, or potentially gaining access to sensitive data stored within the OpenBMCS system. The blast radius extends to any user with administrative access, as their credentials can be exploited without their knowledge. While no direct precedent for exploitation of this specific vulnerability is publicly known, CSRF vulnerabilities are frequently exploited in web applications, and this vulnerability's impact is amplified by the administrative privileges it grants.
CVE-2021-47702 was publicly disclosed on 2025-12-09. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The EPSS score is pending evaluation. No public proof-of-concept (PoC) exploits have been released. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2021-47702 is to upgrade to a patched version of OpenBMCS as soon as it becomes available. Until a patch is released, implement temporary workarounds to reduce the risk. These include implementing strict input validation on the sendFeedback.php endpoint to prevent malicious data from being processed. Additionally, consider implementing CSRF tokens on all administrative actions to ensure that requests originate from a trusted source. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF attempts. Regularly review OpenBMCS logs for any unusual activity or signs of exploitation. After upgrading, confirm the fix by attempting to trigger an administrative action via a crafted CSRF request and verifying that it is blocked.
Update OpenBMCS to a patched version. Refer to the official OpenBMCS documentation or release notes for specific instructions on how to apply the fix. Ensure you back up your configuration before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-47702 is a Cross-Site Request Forgery (CSRF) vulnerability affecting OpenBMCS versions 2.4–2.4, allowing attackers to perform actions with administrative privileges.
If you are running OpenBMCS version 2.4–2.4, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of OpenBMCS. Until a patch is available, implement workarounds like input validation and CSRF tokens.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-47702.
Refer to the OpenBMCS project website and security mailing lists for official advisories and updates regarding CVE-2021-47702.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.