Plataforma
php
Componente
openbmcs
Corrigido em
2.4.1
CVE-2021-47702 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in OpenBMCS versions 2.4–2.4. This flaw allows an attacker to execute unauthorized actions with administrative privileges by crafting malicious requests targeting the sendFeedback.php endpoint. Successful exploitation could lead to unintended system modifications or sensitive data exposure, impacting the integrity and confidentiality of the OpenBMCS environment.
The CSRF vulnerability in OpenBMCS 2.4 poses a significant risk because it allows attackers to masquerade as an authenticated administrator. By tricking a legitimate user into clicking a malicious link or visiting a crafted webpage, an attacker can initiate actions as if they were the administrator. This could include sending unauthorized emails, modifying system settings, or potentially gaining access to sensitive data stored within the OpenBMCS system. The blast radius extends to any user with administrative access, as their credentials can be exploited without their knowledge. While no direct precedent for exploitation of this specific vulnerability is publicly known, CSRF vulnerabilities are frequently exploited in web applications, and this vulnerability's impact is amplified by the administrative privileges it grants.
CVE-2021-47702 was publicly disclosed on 2025-12-09. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The EPSS score is pending evaluation. No public proof-of-concept (PoC) exploits have been released. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals utilizing OpenBMCS version 2.4 are at risk. This includes those deploying OpenBMCS in environments with limited security controls or those who rely on OpenBMCS for critical system monitoring and management functions. Shared hosting environments where multiple users share the same OpenBMCS instance are particularly vulnerable.
• php / web:
curl -I 'http://your-openbmcs-server/sendFeedback.php?action=some_admin_action' | grep -i 'referer'• php / web: Examine access logs for unusual referer headers preceding administrative actions.
• php / web: Review OpenBMCS configuration files for any insecure settings related to session management or authentication.
• generic web: Monitor network traffic for suspicious POST requests to sendFeedback.php with unexpected parameters.
disclosure
Status do Exploit
EPSS
0.07% (percentil 22%)
CISA SSVC
The primary mitigation for CVE-2021-47702 is to upgrade to a patched version of OpenBMCS as soon as it becomes available. Until a patch is released, implement temporary workarounds to reduce the risk. These include implementing strict input validation on the sendFeedback.php endpoint to prevent malicious data from being processed. Additionally, consider implementing CSRF tokens on all administrative actions to ensure that requests originate from a trusted source. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF attempts. Regularly review OpenBMCS logs for any unusual activity or signs of exploitation. After upgrading, confirm the fix by attempting to trigger an administrative action via a crafted CSRF request and verifying that it is blocked.
Atualize o OpenBMCS para uma versão corrigida. Consulte a documentação oficial do OpenBMCS ou as notas da versão para obter instruções específicas sobre como aplicar a correção. Certifique-se de fazer um backup da sua configuração antes de atualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2021-47702 is a Cross-Site Request Forgery (CSRF) vulnerability affecting OpenBMCS versions 2.4–2.4, allowing attackers to perform actions with administrative privileges.
If you are running OpenBMCS version 2.4–2.4, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of OpenBMCS. Until a patch is available, implement workarounds like input validation and CSRF tokens.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-47702.
Refer to the OpenBMCS project website and security mailing lists for official advisories and updates regarding CVE-2021-47702.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.