All-Dynamics Software enlogic:show Digital Signage System 2.0.2 CSRF Add Admin

Title: All-Dynamics Software enlogic:show Digital Signage System 2.0.2 CSRF Add Admin
Advisory ID: ZSL-2020-5576
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 31.07.2020
Summary
Bring communication with your customers, guests or employees to a new level. You can design content individually and uncomplicated centrally and simply present it in different locations. Whether on large displays, steles, digital signs or on a projector, with enlogic:show your content will appear on the selected display in a calendar-controlled and precise manner.
Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vendor
All-Dynamics Software GmbH - https://www.all-dynamics.de
Affected Version
2.0.2 (Build 2098) ILP32W 0/1/3/1597919619
Tested On
enlogic:show server
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012
Microsoft Windows 10
GNU/Linux
Apache
PHP
Vendor Status
[21.07.2020] Vulnerability discovered.
[24.07.2020] Vendor contacted.
[24.07.2020] Vendor creates Ticket#2020072410000011.
[27.07.2020] Vendor responds asking more details.
[27.07.2020] Sent details to the vendor.
[29.07.2020] Vendor confirms the issue scheduling new fixed version release.
[29.07.2020] Replied to the vendor.
[31.07.2020] Vendor releases version 2.0.3 (Build 2102) that addresses this issue.
[31.07.2020] Coordinated public security advisory release.
PoC
enlogic_csrf.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.enlogic-show.com/support/changelog/news/2_0_3.html
[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5577.php
Changelog
[31.07.2020] - Initial release
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk