Zucchetti Axess CLOKI Access Control Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Zucchetti Axess CLOKI Access Control version 1.64. This vulnerability allows attackers to manipulate access control settings without user interaction. By crafting malicious web pages with hidden forms, attackers can trick authenticated users into loading the page and inadvertently disabling or modifying access control parameters.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in access control settings, potentially allowing users to gain inappropriate access rights or privileges.

Reproduction

To reproduce this vulnerability, an attacker can create a malicious web page that includes a hidden form. This form should be configured to send a request to the 'redirect.cgi' endpoint with the appropriate parameters to change access control settings. When an authenticated user visits the page, the form will be submitted automatically, without their knowledge, thereby exploiting the CSRF vulnerability.