CSRF hole in OpenVPN Access Server
OpenVPN Technologies has announced that it has closed a cross-site request forgery (CSRF) in the OpenVPN Access Server admin interface. OpenVPN Access Server is a commercial implementation of OpenVPN from the company that produces the open source OpenVPN package. The flaw exists in version 1.8.4, and may well be present in earlier versions. It is fixed in version 1.8.5, which is available for download.
The problem could potentially be exploited if an administrative user was visiting a maliciously crafted web site while also having the Admin web interface open at the same time, so that an attacker could modify settings in the Admin interface. A security researcher had found that it was possible to easily hijack the session and, for example, create new VPN client accounts.