Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HUi Airvision Controller
APPUiβ€ 2.1.3Ui Mfi Controller
APPUiβ€ 2.0.15Ui Unifi Controller
APPUi< 3.2.1
Related vulnerabilities
An issue was discovered on Ubiquiti UniFi Meshing Access Point UAP-AC-M 4.3.21.11325 and UniFi Controller 6.0....
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subs...
SMTP MITM refers to a malicious actor setting up an SMTP proxy server between the UniFi Controller version <= ...
Cross-site scripting (XSS) vulnerability in the administer interface in the UniFi Controller in Ubiquiti Netwo...
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows ...