Sign In
Advisories

STVS ProVision Cross-Site Request Forgery (Add Admin)

Go Back
severity
high
date
Affecting

  • 5.9.10 (build 2885-3a8219a)

  • 5.9.9 (build 2882-7c3b787)

  • 5.9.7 (build 2871-a450938)

  • 5.9.1 (build 2771-1bbed11)

  • 5.9.0 (build 2701-6123026)

  • 5.8.6 (build 2557-84726f7)

  • 5.7

  • 5.6

  • 5.5

CWE
  • CWE-352 Cross-Site Request Forgery (CSRF)
CVSS
7.1
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Credit
LiquidWorm as Gjoko Krstic of Zero Science Lab
Description
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.