CVE-2020-12507 An attacker with access to monit tool 4.2 could access the database by injection.
s::can moni::tools 4.2+ now uses a secure database connection to avoid SQL injection and other security issues.
In s::can moni::tools before version 4.2 an attacker could perform man-in-the-middle attacks via the X-Forwarded-For HTTP header. This may result in loss of integrity and hijacking the session.
s::can moni::tools 4.2+ now enforces HTTPS for secure communication. This may result in loss of integrity and hijacking the session.
s::can moni::tools before version 4.2 was vulnerable to an XSS attack due to the usage of non-standard character encodings. This may result in loss of integrity and injection of malicious code.
s::can moni::tools 4.2+ now uses the UTF-8 character encoding standard. This may result in loss of integrity and injection of malicious code.
In s::can moni::tools before version 4.2 an attacker could bypass the CSRF protection by submitting a request to the s::can moni::tools login endpoint with a crafted X-FROM header. This may result in loss of confidentiality and integrity.
s::can moni::tools 4.2+ now enforces strict CSRF protection via the X-FROM and X-TOKEN header restrictions. This may result in loss of integrity and prevention of session hijacking.
Authentication bugs s::can moni::tools 4.2+ includes a new authentication mechanism that better protects against known and unknown attack vectors.
Timeline
Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/17/2022 05:21:00 UTC