CVE-2024-56903 - Geovision GV-ASManager web application with the version 6.1.1.0 or less allows attackers to modify POST request method with the GET againsts critical functionalities, such as account management. This vulnerability is used in chain with CVE-2024-56901 for a successful CSRF attack.
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
The vulnerability can be leveraged to perform the following unauthorized actions:
- Unauthorized account is able to:
- Modify POST request method with GET.
- After the successful attack, an attacker will be able to:
- Perform a CSRF attack by leveraging CVE-2024-56901 vulnerability.
Accounts list before we start attack
When creating a new account POST request method is used
Changing POST request method with GET
The new account has been created with GET request method
As it is visible, web application allows to change request method. By creating a new account with GET request method and the lack of CSRF token, we can assume there is a CSRF vulnerability, which is described in CVE-2024-56902.
Download the latest version from here
If you have a question, you can contact me, Giorgi Dograshvili on LinkedIn.