CVE-2014-9104

OpenVPN Access Server <1.5.6 - CSRF

Title source: llm
STIX 2.1

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests.

Scores

EPSS 0.0088
EPSS Percentile 54.9%

Details

CWE
CWE-352
Status published
Products (1)
openvpn/openvpn_access_server < 1.5.6
Published Nov 26, 2014
Tracked Since Feb 18, 2026