Network Optix Nx Witness VMS CORS Misconfiguration Leading to Administrator Account Takeover

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability has been identified in the REST API of Network Optix Nx Witness VMS, affecting versions prior to 6.1.2 on both Linux and Windows. When the default Standard security mode is active, this vulnerability allows an unauthenticated remote attacker to steal the session token of an authenticated user. The attacker can then perform an Administrator Account Takeover by exploiting a malicious cross-origin web page visited by the victim. Notably, the High security mode is not affected.

Impact

Exploitation of this vulnerability could lead to unauthorized access to an Administrator account, allowing the attacker to perform administrative actions within the application.

Remediation

Users can update to Network Optix Nx Witness VMS version 6.1.2 or later, where the CORS policy has been corrected. For existing installations in Standard security mode, it is recommended to disable CORS credentials by sending a PATCH request to the REST API with the supportedOrigins set to null. Alternatively, the High security level can be selected during the initial setup.