← Advisories

Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User

High

Advisory ID

ZSL-2020-5567

Release Date

04 June 2020

Vendor

Secure Computing Corp. - http://www.securecomputing.com

Affected Version

3.1.5u1

CVE

CVE-2020-36908

Tested On

fnord/1.9, Apache 1.3.27 (Unix), Linux 2.4.31

Summary

The SG gateway appliance range provides Internet security and privacy of communications for small and medium enterprises, and branch offices. It simply and securely connects your office to the Internet, and with its robust stateful firewall, shields your computers from external threats.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

sg560_csrf.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/48554

[2]https://packetstormsecurity.com/files/157937

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/182969

[4]https://www.cve.org/CVERecord?id=CVE-2020-36908

Changelog

04.06.2020Initial release

05.06.2020Added reference [1], [2] and [3]

24.03.2026Added reference [4]