UBICOD Medivision Digital Signage Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in UBICOD Medivision Digital Signage version 1.5.1. This vulnerability allows attackers to create administrative user accounts without proper request validation. By crafting a malicious web page that submits a form to the '/query/user/itSet' endpoint, attackers can add new admin users with elevated privileges.

Impact

Exploitation of this vulnerability allows for the creation of administrative user accounts, potentially leading to unauthorized access and privileges within the application.

Reproduction

To reproduce this vulnerability, a logged-in user must be tricked into visiting a malicious web page that submits a crafted form to the '/query/user/itSet' endpoint. The form must include the necessary data to create a new admin user, such as username, password, email, mobile number, phone number, approval status, and group ID.