openvpn-monitor@1.0.0 vulnerabilities

A simple web based openvpn monitor

Direct Vulnerabilities

Known vulnerabilities in the openvpn-monitor package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Request Forgery (CSRF)

openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The client disconnect feature does not require a CSRF token. An attacker can create an CSRF attack page; when a victim with access to the openvpn-monitor application accesses this attack page, an HTTP request is automatically sent to the application that will disconnect the client.

How to fix Cross-site Request Forgery (CSRF)?

A fix was pushed into the master branch but not yet published.

[0,)
  • C
Command Injection

openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred.

Affected versions of this package are vulnerable to Command Injection via the OpenVPN management interface socket. An attacker can use a newline character (0x0a) to inject additional commands into the socket. This allows an attacker for example to stop the OpenVPN server by sending a SIGTERM signal via the signal SIGTERM management command.

How to fix Command Injection?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Access Restriction Bypass

openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred.

Affected versions of this package are vulnerable to Access Restriction Bypass. When the openvpn-monitor application is accessed, the disconnect button is not displayed (as expected). However, there is no authorization check implemented which check if the functionality is allowed to be used or not. An attacker can use this to disconnect arbitrary clients.

How to fix Access Restriction Bypass?

A fix was pushed into the master branch but not yet published.

[0,)