Cross-Site Request Forgery on State-Changing Actions (DOM-26-012)

Summary

Several Digi On-Prem Manager actions accepted state-changing requests without the expected CSRF protection, and some could be triggered by a GET request. This advisory covers the following actions: alert deletion, group logo deletion, password change, router enable confirmation, RTask creation, report sending, trouble-ticket sending, and TOTP enablement. A remote attacker could attempt to trigger one of these actions by causing an authenticated operator to load crafted content. The practical impact depends on the victim operator’s permissions and the specific action.

Mitigations

Session cookies are set SameSite=Lax and use the __Host- prefix, so a forged cross-site POST does not carry the session cookie and is rejected before reaching the action. In practice this limited real-world exposure to the actions that could be triggered by a top-level GET navigation, which SameSite=Lax does not block. Until the update is applied, avoid browsing untrusted sites while authenticated to Digi On-Prem Manager.

Solution

Update to Digi On-Prem Manager v26.06 or later. The actions listed above now require a POST request with a validated CSRF token. This advisory addresses those specific actions and does not assert that every state-changing request in the product is CSRF-protected.

Affected Versions

Digi On-Prem Manager versions before v26.06 are affected.