Hi,
it was possible to gain access to any account on a server running Nginx, where the login is known and two-factor authentication is disabled and if the user could be tricked into doing some specific action.
I’m trying to understand this sentence better, which uses ‘account’ and ‘login’ and ‘user’ all in the one sentence. Can anyone please confirm if the below is accurate?
‘any account on a server running Nginx’ refers to Matomo user accounts, not UNIX accounts on the server?
‘where the login is known’ - does ‘login’ here refer to the same as above, that is, the Matomo username?
‘the user could be tricked into doing some specific action’ - so that’s the same Matomo account, with a user logged into it in an active session, being tricked into going to a crafted Matomo URL sent to them by the attacker?
In other words: “it was possible to gain access to any Matomo account on a server running Nginx, where that Matomo account’s username is known to the attacker, and two-factor authentication is disabled on that target account, and if the user currently logged into that Matomo account could be tricked into doing some specific action.”
?
Thanks…