// For flags

CVE-2023-47020

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the user to an administrator group. This is exploited by an undisclosed function in the WSDL that lacks security controls and can accept custom content types.

El encadenamiento de Multiple Cross-Site Request Forgery (CSRF) en NCR Terminal Handler v.1.5.1 permite que un atacante aumente los privilegios a través de una solicitud manipulada que implica la creación de una cuenta de usuario y la adición del usuario a un grupo de administradores. Esto es aprovechado por una función no revelada en el WSDL que carece de controles de seguridad y puede aceptar tipos de contenido personalizados.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-10-30 CVE Reserved
  • 2024-02-08 CVE Published
  • 2024-02-15 EPSS Updated
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ncratleos
Search vendor "Ncratleos"
 Terminal Handler
Search vendor "Ncratleos" for product "Terminal Handler"
 1.5.1
Search vendor "Ncratleos" for product "Terminal Handler" and version "1.5.1"
-
Affected