Title: Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control Advisory ID: ZSL-2021-5689 Type: Local/Remote Impact: Cross-Site Scripting, Security Bypass Risk: 3/5 Release Date: 13.12.2021 Summary: CLOKI is a pre-installed access control and attendance monitoring application. Exploiting a CSRF vulnerability allows an attacker to perform actions like authentication detriment and password changes with admin privileges if a logged-in user visits a malicious site. Affected Versions: 1.64, 1.63, 1.54 Poc: clooki_csrf.html Vulnerability discovered by: Gjoko Krstic - References: [1] https://packetstormsecurity.com/files/165267/ [2] https://www.exploit-db.com/exploits/50595 [3] https://cxsecurity.com/issue/WLB-2021120072 [4] https://exchange.xforce.ibmcloud.com/vulnerabilities/215287