Synaccess netBooter NP-0801DU Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Synaccess netBooter NP-0801DU version 7.4. This vulnerability allows attackers to perform administrative actions by exploiting the lack of proper request validation. By crafting malicious web pages with hidden form submissions, attackers can trick authenticated administrators into inadvertently granting admin privileges.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access on the affected device.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious web page that includes a form programmed to submit to the 'adm.htm' page of the netBooter NP-0801DU PDU. The form should include hidden fields with values that the PDU recognizes for adding a new admin user. When an authenticated administrator visits the malicious page, the PDU will process the request as if it were a legitimate administrative action.