La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Cross-Site Request Forgery (CSRF)– CWE-352
Software Version: 2.3.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684
CVSS: 8.8
Severity: High
Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
The device does not implement an Anti-CSRF token to protect the device against potential cross site request forgery attack.
Step-by-step instructions and PoC
Below are the evidences with the vulnerability details and the payloads used.
The device doesn’t implement protection against Cross-Site Request Forgery (CSRF). The user could be tricked by an attacker into making an unintentional request to the web server which will be treated as an authentic request. Here the PoC used to trick the user: the message showed in the banner will be changed into ‘CSRFATTACK’.
Figure 18: Banner html
After the user submit the request using the PoC, the banner is actually changed.
Figure 19: Banner
Security Impact
An attacker could effectively perform any operations as the victim. These may include: obtaining complete control over the web application, deleting or stealing data. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.