CSRF Token Information Disclosure in MC
27 April 2021
09 April 2020
The Management Center (MC) web UI is susceptible to a CSRF token disclosure vulnerability. A remote attacker, who has access to an authenticated MC user's web browser history or a network device that intercepts/logs traffic to MC, can obtain CSRF tokens and use them to perform CSRF attacks against MC.
|Management Center (MC)|
|CVE-2019-18376||2.2, 2.3||Upgrade to later release with fixes.|
|2.4||Not vulnerable, fixed in 220.127.116.11.|
|Severity / CVSS v3.0:||Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)|
|Description:||A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated MC user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.|
Mitigation & Additional Information
Leaked CSRF tokens are only valid for the duration of the user session they are issued for. They become invalid and can no longer be used after the user session terminates - the user logs out of the MC web UI, or the session expires due to inactivity. They default session inactivity timeout for the MC web UI is 30 minutes and is configurable through the web UI Administration --> Settings --> System Settings --> General --> Inactivity timeout (minutes) setting.
- CVE-2019-18376: Balazs Hambalko, IT Security Consultant
2020-04-09 initial public release