openvpn-monitor@1.1.3 vulnerabilities

openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The client disconnect feature does not require a CSRF token. An attacker can create an CSRF attack page; when a victim with access to the openvpn-monitor application accesses this attack page, an HTTP request is automatically sent to the application that will disconnect the client.

A fix was pushed into the master branch but not yet published.

openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred.

Affected versions of this package are vulnerable to Command Injection via the OpenVPN management interface socket. An attacker can use a newline character (0x0a) to inject additional commands into the socket. This allows an attacker for example to stop the OpenVPN server by sending a SIGTERM signal via the signal SIGTERM management command.

A fix was pushed into the master branch but not yet published.

openvpn-monitor is a web based OpenVPN monitor, that shows current connection information, such as users, location and data transferred.

Affected versions of this package are vulnerable to Access Restriction Bypass. When the openvpn-monitor application is accessed, the disconnect button is not displayed (as expected). However, there is no authorization check implemented which check if the functionality is allowed to be used or not. An attacker can use this to disconnect arbitrary clients.

A fix was pushed into the master branch but not yet published.