Critical Vulnerability Information Application Name: M/Monit 3.2.2 Vulnerability Type: Cross-Site Request Forgery (CSRF) Vulnerability Description: - Allows resetting the password of any user account (administrator or regular user) without knowing the current password, due to the absence of password change verification mechanism. Related CVE IDs: CVE-2014-6409, CVE-2014-6607 Affected Versions: <= 3.2.2 Proof of Concept (PoC): Mitigation: - The software vendor has acknowledged the issue; a patch may be released in future versions. Timeline: - September 15: Vulnerability discovered. - September 15: Vendor notified. - September 15: CVE request submitted. - September 17: CVE assigned. - September 18: Vendor confirmed the security issue and will release a fix in future versions. - September 19: Public disclosure. Discoverer: Dolev Farhi, F5 Networks