CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8953
https://notcve.org/view.php?id=CVE-2020-8953
OpenVPN Access Server 2.8.x before 2.8.1 allows LDAP authentication bypass (except when a user is enrolled in two-factor authentication). OpenVPN Access Server versiones 2.8.x anteriores a 2.8.1, permite una omisión de autenticación LDAP (excepto cuando un usuario está inscrito en autenticación de dos factores). • https://openvpn.net/security-advisories • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-5868 – OpenVPN Access Server 2.1.4 CRLF Injection
https://notcve.org/view.php?id=CVE-2017-5868
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. Una vulnerabilidad de inyección CRLF en la interfaz web en OpenVPN Access Server versión 2.1.4, permite a los atacantes remotos inyectar encabezados HTTP arbitrarios y, en consecuencia, conducir ataques de fijación de sesión y posiblemente ataques de división de respuesta HTTP por medio de caracteres "%0A" en la variable PATH_INFO en la función __session_start __ /. OpenVPN Access Server version 2.1.4 suffers from a CRLF injection vulnerability. • http://www.openwall.com/lists/oss-security/2017/05/23/13 http://www.securitytracker.com/id/1038547 https://sysdream.com/news/lab/2017-05-05-cve-2017-5868-openvpn-access-server-crlf-injection-with-session-fixation • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 6.8EPSS: 0%CPEs: 142EXPL: 0CVE-2014-8104
https://notcve.org/view.php?id=CVE-2014-8104
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. OpenVPN 2.x anterior a 2.0.11, 2.1.x, 2.2.x anterior a 2.2.3, y 2.3.x anterior a 2.3.6 permite a usuarios remotos autenticados causar una denegación de servicio (caída del servidor) a través de un paquete de canal de control pequeño. • http://advisories.mageia.org/MGASA-2014-0512.html http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00008.html http://www.debian.org/security/2014/dsa-3084 http://www.mandriva.com/security/advisories?name=MDVSA-2015:139 http://www.ubuntu.com/usn/USN-2430-1 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2014-9104
https://notcve.org/view.php?id=CVE-2014-9104
Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests. Múltiples vulnerabilidades de CSRF en la API XML-RPC en Desktop Client en OpenVPN Access Server 1.5.6 y anteriores permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) desconectan sesiones VPN establecidas, (2) conectan con servidores VPN arbitrarios, o (3) crean perfiles VPN y ejecutan comandos arbitrarios a través de solicitudes de la API manipuladas. • http://openvpn.net/index.php/access-server/security-advisories.html http://seclists.org/fulldisclosure/2014/Jul/76 http://www.securityfocus.com/archive/1/532795/100/0/threaded https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-1_OpenVPN_Access_Server_Desktop_Client_Remote_Code_Execution_via_CSRF_v10.txt https://www.youtube.com/watch?v=qhgysgfvQh8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-2692
https://notcve.org/view.php?id=CVE-2013-2692
Cross-site request forgery (CSRF) vulnerability in the Admin web interface in OpenVPN Access Server before 1.8.5 allows remote attackers to hijack the authentication of administrators for requests that create administrative users. Vulnerabilidad de CSRF en la interfaz Admin web en OpenVPN Access Server anterior a 1.8.5 permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que crean usuarios administrativos. • http://openvpn.net/index.php/access-server/download-openvpn-as-sw/531-release-notes-v185.html http://osvdb.org/93111 http://secunia.com/advisories/52802 • CWE-352: Cross-Site Request Forgery (CSRF) •