Title: Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit Advisory ID: ZSL-2019-5521 Type: Local/Remote Impact: Cross-Site Scripting Risk: 3/5 Release Date: 15.05.2019 Vendor: BTicino S.p.A. - https://www.bticino.com Affected Version: - Hardware Platform: F454 - Firmware version: 1.0.51 - Driver Manager version: 1.1.14 Tested On: - Apache/2.2.14 (Unix) - OpenSSL/1.0.0d - PHP/5.1.6 Vendor Status: - 30.04.2019: Vulnerability discovered. - 01.05.2019: Vendor contacted. - 01.05.2019: Vendor responds, employee from BTicino will contact us. - 14.05.2019: No reply from the vendor. - 15.05.2019: Public security advisory released. PoC: legrand_csrf.html Credits: Vulnerability discovered by Gjoko Krstic - gjoko@zeroscience.mk References: - [1] https://www.exploit-db.com/exploits/46850 - [2] https://exchange.xforce.ibmcloud.com/vulnerabilities/161088 - [3] https://packetstormsecurity.com/files/152940