Key Information Vulnerability Overview Vulnerability Name: Bypassing CSRF Protection in Smartvista BackOffice CVE ID: CVE-2023-50255 Vendor: https://www.bpcbt.com/ Tested Product: SmartVista Suite 2.2.22, Instance: XXX-PROD 2.42.2.1218 Description By converting a POST request into a GET request (including all parameters), an attacker can bypass CSRF protection targeting the parameter (which is present both in the header and as a parameter). This enables CSRF attacks via GET requests. Impact The vulnerability is susceptible to CSRF attacks. Attackers can send malicious links to authenticated users, exploiting phishing or social engineering techniques, to perform malicious actions on behalf of legitimate users. Attackers can execute operations such as adding users with elevated privileges, changing any user’s password without requiring the previous password, and manipulating various system functions without proper authorization. Location All functions within the system that perform add, modify, or delete operations. References https://owasp.org/www-community/attacks/csrf#get-scenario Proof of Concept Video Attachment: CSRF_Bypass_Exploitation_and_Unauthorized_Person_Creation_Example.mp4 Explanation of Actions in Video: - Demonstrates the process of bypassing CSRF protection. - Example: Creating a new user by tricking a user into visiting a malicious website. Steps to Bypass CSRF Protection 1. Log in > Administrator > Users (Permissions) > Add > Person Search 2. Add a new person (intended to capture the original request for adding a person) 3. Convert the POST request into a GET request to bypass CSRF token validation. Even after removing the parameter, the person addition process still succeeds. 4. Copy the GET request URL used for adding a person for further exploitation. Exploitation Example 1. Create a malicious website containing a script that redirects to the "Add Person" URL. 2. User visits the malicious website at and is immediately redirected. 3. Check the list of persons — the new person is successfully added ⇒ exploitation successful. This is an example of an attack exploiting CSRF to create a new person. In practice, attackers could embed the URL for creating an admin-level privileged user within an tag and trigger it, making CSRF attacks difficult for users to detect.