Posted by DAU Huy Ngoc on Jun 02

Hello list,

Here are two CVEs I reported to Freebox, a french ISP:
– CVE-2014-9382 – CSRF in VPN user account creation
– CVE-2014-9405 – XSS

Vulnerable product: Freebox OS Web interface 3.0.2.

CVE-2014-9382 – CSRF in Freebox OS Web interface 3.0.2 allowing VPN user
account creation
====================
Risk level: High

Freebox allows users to create VPN connections to their home network.

In version 3.0.2 when a new user is created, the…