Yeroo Tech iDS6 DSSPro Digital Signage System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Yeroo Tech iDS6 DSSPro Digital Signage System version 6.2. This vulnerability allows attackers to perform administrative actions without proper request validation. By exploiting the lack of CSRF protections, attackers can craft malicious web pages that trick logged-in administrators into adding unauthorized users.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative actions, such as adding users with administrative privileges.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious web page that sends a POST request to the application's user management endpoint, specifically the 'addUser' action. This request must include the necessary user data, such as username and password, hidden within the form. When a logged-in administrator visits the malicious page, the crafted request is sent without the application's usual validation checks, allowing the unauthorized action to be performed.