Geovision GV-ASWeb Cross-Site Request Forgery Vulnerability Allowing Unauthorized Administrator Account Creation

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Geovision GV-ASWeb application, specifically in versions 6.1.1.0 and earlier. This vulnerability allows attackers to create Administrator accounts arbitrarily by sending a crafted GET request. The issue can be exploited in conjunction with CVE-2024-56903 to execute a successful CSRF attack.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of Administrator accounts. An attacker can then access and manipulate various resources and settings within the application, including monitoring cameras, managing access controls, and disrupting services. Additionally, this vulnerability could be used to retrieve cleartext passwords that might be applicable to other digital assets within the organization.

Reproduction

To reproduce this vulnerability, an attacker must have access to the Geovision GV-ASWeb application version 6.1.1.0 or earlier. The attacker needs to craft a GET request that includes the necessary parameters to create a new Administrator account, such as the account ID, password, email, and access level. This request must be sent while an Administrator is logged into the application, taking advantage of the CSRF vulnerability to bypass authentication.

Remediation

Users are advised to update to Geovision GV-ASWeb version 6.1.2.0 or later.