FlexNet Publisher Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin Account Creation

A cross-site request forgery (CSRF) vulnerability has been identified in FlexNet Publisher version 11.12.1. This vulnerability allows attackers to create administrative user accounts without authentication. By crafting a malicious HTML form, attackers can trick authenticated users into submitting a request that generates a new local admin account with a predefined password.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of administrative user accounts, potentially leading to unauthorized access and privileges within the application.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious HTML form that includes the necessary fields to create a new user account. This form should be designed to automatically submit a request to the FlexNet Publisher application while the target user is authenticated. Once the request is submitted, a new local admin account will be created with the specified password.