Vulnerability Description
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fs | S3900 24T4S Firmware | <= 1.7.0 |
| Fs | S3900 24T4S | - |
Related Weaknesses (CWE)
References
- https://github.com/M0NsTeRRR/CVE-2020-24033ExploitThird Party Advisory
- https://github.com/M0NsTeRRR/S3900-24T4S-CSRF-vulnerabilityExploitThird Party Advisory
- https://github.com/M0NsTeRRR/CVE-2020-24033ExploitThird Party Advisory
- https://github.com/M0NsTeRRR/S3900-24T4S-CSRF-vulnerabilityExploitThird Party Advisory
FAQ
What is CVE-2020-24033?
CVE-2020-24033 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of ...
How severe is CVE-2020-24033?
CVE-2020-24033 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24033?
Check the references section above for vendor advisories and patch information. Affected products include: Fs S3900 24T4S Firmware, Fs S3900 24T4S.