Cross-Site Request Forgery- Smartvista SVFE-2 Module [CVE-2018-15206]
[+] Credits: Neeraj Kumar, Raj Kumar Yadav [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== https://www.bpcbt.com/ Product: =================== Smartvista Version: =================== Smartvista Front-End (SVFE)- Version 2 Vulnerability Type: ========================== Cross-Site Request Forgery Affected component(s)- ========================== createrole.jsf Page https://<Target-IP:Port>/SVFE2/pages/admpages/roles/createrole.jsf CVE Reference: ============== CVE-2018-15206 Vulnerability Details: ====================== Smartvista is a suite of payment infrastructure and management systems created by BPC Group. It is vulnerable to CSRF attack meaning an attacker can perform malicious actions on behalf of valid user by sending malicious links to authenticated user via phishing/social engineering methods. CSRF POC Code: ====================== <html> <!-- CSRF PoC --> ...