JM-DATA ONU JF511-TV Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the JM-DATA ONU JF511-TV, affecting versions 1.0.67, 1.0.62, and 1.0.55. This vulnerability allows attackers to perform administrative actions on behalf of authenticated users without their knowledge or consent. The issue arises from improper validation of user input on the '/boaform/admin/formURL' endpoint.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative actions being performed on behalf of users, potentially allowing for cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.

Reproduction

To reproduce this vulnerability, an attacker must persuade an authenticated user to visit a malicious website. Once the user is tricked into visiting the site, the attacker can send a crafted HTTP request that exploits the CSRF vulnerability. This can be done by using a form that submits to the '/boaform/admin/formURL' endpoint with the appropriate parameters to perform the desired administrative action, such as deleting an IP entry filter.