vendor:
STVS ProVision
by:
LiquidWorm
8.8
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: STVS ProVision
Affected Version From: 5.9.10 (build 2885-3a8219a)
Affected Version To: 5.5
Patch Exists: NO
Related CWE: N/A
CPE: a:stvs:stvs_provision
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Ubuntu 14.04.3, nginx/1.12.1, nginx/1.4.6, nginx/1.1.19, nginx/0.7.65, nginx/0.3.61
2021
STVS ProVision 5.9.10 – Cross-Site Request Forgery (Add Admin)
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Mitigation:
Validate all user input and ensure that requests are coming from trusted sources.
