7.2
CVE-2026-31849
- EPSS 0.12%
- Veröffentlicht 23.03.2026 12:16:59
- Zuletzt bearbeitet 29.04.2026 17:43:33
- Quelle 309f9ea4-e3e9-4c6c-b79d-e8eb01
- CVE-Watchlists
- Unerledigt
LoginMissing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administrator’s browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nexxtsolutions ≫ Nebula300plus Firmware Version <= 12.01.01.37
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.019 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
| 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c | 7.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://nexxt-connectivity-frontend.s3.amazonaws.com/media/docs/Nebula300+_v12.01.01.37.zip
https://www.nexxtsolutions.com/connectivity/internal-products/ARN02304U6/