Home

Description

OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.

PUBLISHED Reserved 2025-12-05 | Published 2025-12-09 | Updated 2025-12-09 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-352: Cross-Site Request Forgery (CSRF)

Product status

Default status
unaffected

2.4
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.exploit-db.com/exploits/50667 (ExploitDB-50667) exploit

www.openbmcs.com (Official Product Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php (Zero Science Lab Disclosure (ZSL-2022-5691)) third-party-advisory

www.vulncheck.com/...equest-forgery-csrf-via-sendfeedbackphp (VulnCheck Advisory: OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php) third-party-advisory

cve.org (CVE-2021-47702)

nvd.nist.gov (CVE-2021-47702)

Download JSON