8.8

CVE-2021-47723

Exploit

STVS ProVision Cross-Site Request Forgery (Add Admin)

STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
StvsProvision Version5.5
StvsProvision Version5.6
StvsProvision Version5.7
StvsProvision Version5.8.6
StvsProvision Version5.9.0
StvsProvision Version5.9.1
StvsProvision Version5.9.7
StvsProvision Version5.9.9
StvsProvision Version5.9.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.058
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
disclosure@vulncheck.com 6.9 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://www.exploit-db.com/exploits/49482
Technical Description
http://www.stvs.ch
Product
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5625.php
Third Party Advisory
https://www.vulncheck.com/advisories/stvs-provision-cross-site-request-forgery-add-admin
Third Party Advisory