PSIRT - Total Automation Solutions

Security Notification # CSAL56

Advisory Title: Privilege Escalation via Form Submission

Document ID:

TAS/PRD/GEN/SN-CSAL#56

Document Name:

Security Notification # CSAL56

Doc. Rev.:

0

Publication Date

15-Jan-24

Incident Source

CSAL56

CVE / Vulnerability Reference

OWASP(A5)

Last Update

06-Feb-24

Reported By

Valency Networks Testing Agency

Advisory ID#

Posting Not Started Yet

Current Version

WP500 FW 0.6.6

CVSS Score

8.5

 Vulnerability Description

Privilege escalation is possible by entire form of a HTTP POST or HTTP GET Request. Steps to replicate the attack

 Impact

Privilege escalation via HTTP POST or GET involves identifying forms accepting these requests, analyzing and modifying parameters that control privileges, and sending the modified request to gain unauthorized access. Mitigation includes implementing strong access controls, validating input, secure session management, role-based access control, and conducting security audits.

 Affected products

WP500 Firmware 0.65 Version

Temporary Fix / Mitigation

Please update to firmware version 0.6.6.

Acknowledgment

Valency Networks , Pune

 History

NA

 Classification of Vulnerability