############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: BOINC Server # Vendor: BOINC # CSNC ID: CSNC-2025-005 # CVE ID: CVE-2025-0669 # Subject: BOINC Cross-Site Request Forgery # Risk: High # Effect: Remotely exploitable # Researcher: Raphaël Arrouas (Xel) via Managed Bugbounty Program # Coordinator: Michael Häseler # Date: 20.01.2025 # ############################################################# Introduction ------------ BOINC is a software platform for "volunteer computing": large-scale distributed high-throughput computing using volunteered home computers and other resources. [1] Affected -------- Vulnerable: * All versions < 1.4.3 Not vulnerable: * All versions >= 1.4.3 Not tested: * Technical Description --------------------- The BIONIC Server is vulnerable to a CSRF allowing account takeover by password modification affecting the edit_passwd_action.php endpoint. When a victim which is logged in opens the following POC their password is changed: ```html ``` This vulnerability can be used to takeover any account. As a consequence, it may also be possible to hijack accounts with higher privileges. Workaround / Fix ---------------- Update to the most recent version of BOINC Server. Timeline -------- 2024-12-12: Discovery by Hunter 2024-12-12: Initial vendor notification 2024-12-13: Release of fixed Version / Patch 2025-01-27: Assigned CVE-2025-0669 2025-02-03: Initial vendor notification 2025-03-12: Initial vendor response 2009-XX-XX: Public disclosure date References ---------- [1] https://github.com/BOINC/boinc