← Advisories

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery

Medium

Advisory ID

ZSL-2019-5502

Release Date

05 January 2019

Vendor

Leica Geosystems AG - https://www.leica-geosystems.com

Affected Version

4.30.063, 4.20.232, 4.11.606, 3.22.1818, 3.10.1633, 2.62.782, 1.00.395

CVE

CVE-2019-25259

Tested On

BarracudaServer.com (WindowsCE)

Summary

The Leica GR10 is the next generation GNSS reference station receiver that combines the latest state-of-the-art technologies with a streamlined 'plug and play' workflow. Designed for a wide variety of GNSS reference station applications, the Leica GR10 offers new levels of simplicity, reliability and performance.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

leica_csrf.htmlTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/46090

[2]https://packetstormsecurity.com/files/151040

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/155275

[4]https://www.cve.org/CVERecord?id=CVE-2019-25259

Changelog

05.01.2019Initial release

14.01.2019Added reference [1], [2] and [3]

24.03.2026Added reference [4]