GeoVision GV-ASManager Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in the GeoVision GV-ASManager web application, specifically in versions through 6.1.0.0. This vulnerability exposes account information, including passwords in cleartext.

Impact

Exploitation of this vulnerability allows a low privilege account to access the cleartext passwords of all accounts within GV-ASManager. With the retrieved password, an attacker can log into the application and gain access to various resources and functionalities, such as monitoring cameras, managing access control data, and disrupting services. Additionally, the password could be reused in other digital assets of the organization.

Reproduction

To reproduce this vulnerability, first, access the GV-ASManager web application using a Guest account, which is enabled by default. Due to a separate broken access control vulnerability, it is possible to retrieve a list of all accounts, including those with higher privileges. Once the target account is identified, the vulnerability can be exploited by sending a request that includes the username of the account whose password is to be retrieved. The application will respond with the password in cleartext.

Remediation

Users are advised to update to GeoVision GV-ASManager version 6.1.2.0 or later. Version 6.1.1.0 also addresses this vulnerability but is still susceptible to a Cross-Site Request Forgery attack.