OpenPLC V3 Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in OpenPLC V3, prior to pull request #310. The issue arises from inadequate CSRF protection, allowing an unauthenticated attacker to manipulate a logged-in administrator into clicking a malicious link. This could result in unauthorized changes to PLC settings or the introduction of harmful programs, potentially causing significant disruption or damage to connected systems.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of PLC settings or the upload of malicious programs, causing considerable disruption or damage to connected systems.

Reproduction

To reproduce this vulnerability, an attacker must craft a link that exploits the CSRF weakness. This link should be designed to manipulate a logged-in administrator's session, taking advantage of the lack of proper CSRF validation. Once the link is clicked, the attacker can unauthorizedly change PLC settings or upload harmful programs.

Remediation

Users are advised to update OpenPLC V3 to pull request #310 or later from the main GitHub repository.