← Advisories

B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin

High

Advisory ID

ZSL-2020-5589

Release Date

19 September 2020

Vendor

B-Swiss SARL, b-tween Sarl - https://www.b-swiss.com

Affected Version

3.6.5, 3.6.2, 3.6.1, 3.6.0, 3.5.80, 3.5.40, 3.5.20, 3.5.00, 3.2.00, 3.1.00

CVE

CVE-2020-22005

Tested On

Linux 5.3.0-46-generic x86_64, Linux 4.15.0-20-generic x86_64, Linux 4.9.78-xxxx-std-ipv6-64, Linux 4.7.0-040700-generic x86_64, Linux 4.2.0-27-generic x86_64, Linux 3.19.0-47-generic x86_64, Linux 2.6.32-5-amd64 x86_64, Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64, macOS 10.13.5, Microsoft Windows 7 Business Edition SP1 i586, Apache/2.4.29 (Ubuntu), Apache/2.4.18 (Ubuntu), Apache/2.4.7 (Ubuntu), Apache/2.2.22 (Win64), Apache/2.4.18 (Ubuntu), Apache/2.2.16 (Debian), PHP/7.2.24-0ubuntu0.18.04.6, PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1, PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1, PHP/5.6.31, PHP/5.6.30-10+deb.sury.org~xenial+2, PHP/5.5.9-1ubuntu4.17, PHP/5.5.9-1ubuntu4.14, PHP/5.3.10, PHP/5.3.13, PHP/5.3.3-7+squeeze16, PHP/5.3.3-7+squeeze17, MySQL/5.5.49, MySQL/5.5.47, MySQL/5.5.40, MySQL/5.5.30, MySQL/5.1.66, MySQL/5.1.49, MySQL/5.0.77, MySQL/5.0.12-dev, MySQL/5.0.11-dev, MySQL/5.0.8-dev, phpMyAdmin/3.5.7, phpMyAdmin/3.4.10.1deb1, phpMyAdmin/3.4.7, phpMyAdmin/3.3.7deb7, WampServer 3.2.0, Acore Framework 2.0

Summary

Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project.

Description

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Proof of Concept

bswiss_csrf.htmlTXT

Disclosure Timeline

13.06.2020Vulnerability discovered.

15.07.2020Vendor contacted. (webform)

17.07.2020No response from the vendor.

18.07.2020Vendor contacted. (email)

21.07.2020Vendor responds asking more details.

21.07.2020Sent overview to the vendor asking for secure channel.

23.07.2020No response from the vendor.

24.07.2020Asked vendor for comment/update/status.

27.07.2020Vendor asks more details.

27.07.2020Sent details to the vendor.

29.07.2020Asked vendor for status update.

30.07.2020Vendor responds with questions.

30.07.2020Replied to the vendor.

31.07.2020Vendor looking into roadmap for the problems identified.

03.08.2020Replied to the vendor.

05.08.2020Vendor responds, if the reported vulnerabilities are applicable they will create patch for customers.

06.08.2020Asked vendor for patch milestone.

06.08.2020Vendor doesn't know.

18.08.2020Asked vendor for status update.

18.09.2020No reponse from the vendor.

18.09.2020Asked vendor for status update.

18.09.2020Vendor refuses to provide any further information.

18.09.2020Replied to the vendor, advisory release scheduled 19.09.2020.

18.09.2020Vendor working on fix, will inform us when issues have been solved.

18.09.2020Replied to the vendor.

19.09.2020Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/159231/

[2]https://www.exploit-db.com/exploits/48833

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/188579

[4]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-22005

[5]https://nvd.nist.gov/vuln/detail/CVE-2020-22005

Changelog

19.09.2020Initial release

30.09.2020Added reference [1], [2] and [3]

19.06.2021Added reference [4] and [5]