Geovision GV-ASWeb Request Method Modification Vulnerability in Account Management

A vulnerability exists in Geovision GV-ASWeb versions through 6.1.1.0 that allows attackers to change POST requests to GET requests, targeting critical features like account management. This issue can be exploited in conjunction with CVE-2024-56901 to carry out a successful Cross-Site Request Forgery (CSRF) attack.

Impact

Exploitation of this vulnerability enables unauthorized modification of request methods, potentially leading to unauthorized actions within the application. When combined with CVE-2024-56901, it facilitates a CSRF attack, allowing attackers to perform actions on behalf of authenticated users.

Reproduction

To reproduce this vulnerability, access the Geovision GV-ASWeb application version 6.1.1.0 or earlier. Create a new account using a GET request instead of the standard POST request. The application will process the request without a CSRF token, indicating a CSRF vulnerability. Once the account is created, the request method can be changed back to GET, exploiting the lack of CSRF protection to perform unauthorized actions, such as modifying account details.

Remediation

Users are advised to update to the latest version of Geovision GV-ASWeb. The latest version can be downloaded from the Geovision website.