CSAL#53
|
Security Notification # CSAL53 |
|
Advisory Title: CSRF Attack Possible on Various Forms |
||||
|
Document ID: |
TAS/PRD/GEN/SN-CSAL#53 |
Document Name: |
Security Notification # CSAL53 |
Doc. Rev.: |
0 |
|
|
|
|
|
|
|
|
|
|
Publication Date |
15-Jan-24 |
Incident Source |
CSAL52 |
CVE / Vulnerability Reference |
|
|
|
Last Update |
06-Feb-24 |
Reported By |
Valency Networks Testing Agency |
Advisory ID# |
Posting Not Started Yet |
|
|
Current Version |
WP500 FW 0.6.6 |
CVSS Score |
8.5 |
|
|
|
|
|
|
|
|
|
|
|
|
Vulnerability Description |
Cross site request forgery (CSRF) attack possible on the forms mentioned below. This can let attacker sit remotely, create a dummy form and submit it using victim's valid session who is already logged in, either via a chat application or a phishing attack. From technical point of view, this is possible due to the lack of CSRF token in HTTP POST form which makes it vulnerable to a remote request forgery. Replicating this problem is not easy however please read solution mentioned below to fix the issue. |
|||||
|
Impact |
The susceptibility of our web forms to Cross-Site Request Forgery (CSRF) attacks presents a significant security risk, undermining the integrity of user interactions and data transactions within our system. This vulnerability can be exploited by attackers to perform unauthorized actions on behalf of authenticated users without their consent or knowledge. The exploitation of this vulnerability can have several severe implications |
|||||
|
Affected products |
WP500 Firmware 0.65 Version |
|
|
|
|
|
|
Temporary Fix / Mitigation |
Please update to firmware version 0.6.6. |
|
||||
|
Acknowledgment |
Valency Networks , Pune |
|
|
|
|
|
|
History |
NA |
|
|
|
|
|
|
Classification of Vulnerability |
|
|
|
|
||