CVE-2018-8979
Description
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open-AudIT Professional 2.1 lacks CSRF protection, enabling an attacker to force an authenticated victim to create credentials with a stored XSS payload.
Vulnerability
Open-AudIT Professional version 2.1 is affected by a cross-site request forgery (CSRF) vulnerability. The application does not implement any anti-CSRF tokens or validation mechanisms on its credential creation endpoint (/credentials). This lack of protection allows an attacker to craft a malicious HTML form that, when submitted by an authenticated user, will create a new credential entry. Furthermore, the name and description parameters of the credential form are not sanitized, enabling stored cross-site scripting (XSS). The attacker can chain these weaknesses to inject arbitrary JavaScript into the application [1][2].
Exploitation
An attacker needs to lure an authenticated victim into visiting a crafted HTML page while the victim has an active session in the Open-AudIT Professional 2.1 application. The attacker creates a form that automatically submits a POST request to /credentials with a payload that includes an XSS payload in the name field (e.g., `) and sets the type parameter to ssh` and other credential fields. The form is automatically submitted via JavaScript or by placing the victim on the page with an auto-submitting form. No CSRF token is required, so the request is processed by the application [1][2].
Impact
A successful attack results in the creation of a new credential entry containing an attacker-controlled XSS payload. The stored XSS will execute in the browser of any user who views the credentials page, potentially allowing the attacker to steal session cookies, perform actions on behalf of the victim, escalate privileges (e.g., creating an admin account), or compromise the entire user account. The attacker does not need any prior authentication or elevated privileges beyond the victim being logged in [1][2].
Mitigation
As of the available references (2018-03-27), no official patch or fixed version had been released. The vendor (Open-AudIT) has not provided a workaround. Users of Open-AudIT Professional 2.1 are advised to apply strict input validation and output encoding on the affected parameters (name, description) and implement CSRF tokens for all state-changing operations. The vulnerability is listed on the Exploit Database and should be prioritized for remediation [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 2.1.0
- Range: =2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection on the credentials endpoint allows an attacker to forge authenticated requests."
Attack vector
An attacker crafts a malicious HTML page containing a hidden form that auto-submits a POST request to the `/omk/open-audit/credentials` endpoint. The form includes parameters such as `name`, `org_id`, `description`, `type`, `username`, and `password`. Because the application has no CSRF protection, a victim who is already authenticated to Open-AudIT Professional 2.1 and visits the attacker's page will unknowingly submit the form, creating a new credential entry. The attacker can embed an XSS payload (e.g., `
Affected code
The vulnerability exists in the `/omk/open-audit/credentials` endpoint of Open-AudIT Professional 2.1. The application lacks any CSRF token or anti-forgery protection on this URI, allowing an external attacker to craft a form submission that creates or modifies credential records [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not describe a vendor fix; it only documents the absence of CSRF protection. To remediate, the application should implement anti-CSRF tokens on all state-changing forms, validate the `Origin` or `Referer` header, and/or require re-authentication for sensitive actions such as credential creation.
Preconditions
- authVictim must be authenticated to Open-AudIT Professional 2.1 in the same browser session.
- inputAttacker must trick the victim into visiting a crafted HTML page (e.g., via email or chat link).
- networkThe target Open-AudIT instance must be reachable from the victim's browser at the expected hostname (e.g., localhost).
Reproduction
1. Log into Open-AudIT Professional 2.1 as an authenticated user. 2. Craft an HTML page with the following form targeting `http://localhost/omk/open-audit/credentials` (adjust host as needed): `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/44360/mitreexploitx_refsource_EXPLOIT-DB
- nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.