KYOCERA Net Admin Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin User Creation
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in KYOCERA Net Admin version 3.4.0906. This vulnerability allows attackers to create administrative users without proper request validation. By crafting malicious web pages that automatically submit forms, attackers can add new admin accounts with predefined credentials when a logged-in user visits the page.
Impact
Exploitation of this vulnerability allows for unauthorized creation of administrative users, potentially leading to unauthorized access and privileges within the application.
Reproduction
To reproduce this vulnerability, a logged-in user must be tricked into visiting a malicious web page that submits a form to the 'addUser.faces' endpoint. The form must include the necessary fields to create a new admin user, such as login name, password, role, and other required information. Once the form is submitted, the new admin account will be created without the user's knowledge.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.