CVE-2024-56901
Published: 03 February 2025
Description
A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.
Security Summary
CVE-2024-56901 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Geovision GV-ASWeb application in versions 6.1.1.0 and earlier. The flaw enables attackers to arbitrarily create Administrator accounts through a crafted GET request. It is chained with CVE-2024-56903 to facilitate a successful CSRF attack, as classified under CWE-352, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by remote attackers with no required privileges over a network, provided they can lure an authenticated user into performing an action such as visiting a malicious webpage (user interaction required). Successful exploitation allows the creation of unauthorized Administrator accounts, potentially granting full control over the application, including high impacts on confidentiality, integrity, and availability.
Mitigation details are available in the advisory published on GitHub at https://github.com/DRAGOWN/CVE-2024-56901, which was referenced alongside the CVE published on 2025-02-03. Security practitioners should consult this resource for patching instructions or workarounds specific to GV-ASWeb.
Details
- CWE(s)