All-Dynamics Digital Signage System Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin User Creation

A cross-site request forgery (CSRF) vulnerability has been identified in All-Dynamics Digital Signage System version 2.0.2. This vulnerability allows attackers to create administrative users without proper request validation. By crafting a malicious web page that automatically submits forms, attackers can exploit this vulnerability to grant global administrative privileges to new users, taking advantage of the application's lack of adequate request verification.

Impact

Exploitation of this vulnerability allows for the creation of administrative users, bypassing the application's user management validation. This could lead to unauthorized access and control over the digital signage system's features and settings.

Reproduction

To reproduce this vulnerability, a logged-in user must be tricked into visiting a crafted web page that exploits the CSRF flaw. The page should automatically submit a form to the user management endpoint, creating a new user with administrative rights. This can be done by including the necessary form data, such as username, password, and admin role, in the page's HTML.

Remediation

Users are advised to update to All-Dynamics Digital Signage System version 2.0.3, which addresses this vulnerability.