CVE-2021-37381 – Southsoft GMIS 5.0 is vulnerable to Cross-Site ... (How to Fix)

Q: What is the severity of CVE-2021-37381?

CVE-2021-37381 has a CVSS score of 8.8 (HIGH). Southsoft GMIS 5.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthorized access to private student information, including photos. Attackers can exploit this by manipulating student ID parameters in URLs while using valid session tokens. This affects all users of Southsoft GMIS 5.0 who have access to student photo information.

📋 TL;DR

Southsoft GMIS 5.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow unauthorized access to private student information, including photos. Attackers can exploit this by manipulating student ID parameters in URLs while using valid session tokens. This affects all users of Southsoft GMIS 5.0 who have access to student photo information.

💻 Affected Systems

Products:

Southsoft GMIS

Versions: 5.0

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of Southsoft GMIS 5.0. No special configuration is required for exploitation.

📦 What is this software?

Graduate Management Information System by Southsoft

View all CVEs affecting Graduate Management Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data exfiltration of all student private photos and personal information through automated CSRF attacks, leading to privacy violations and potential blackmail.

🟠

Likely Case

Targeted access to specific students' private photos by malicious actors, resulting in privacy breaches and potential harassment.

🟢

If Mitigated

No unauthorized access possible with proper CSRF protections and access controls in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely if the application is internet-facing, allowing attackers to target users from anywhere.

🏢 Internal Only: MEDIUM - Even internally, malicious insiders or compromised internal accounts could exploit this vulnerability to access unauthorized data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to trick an authenticated user into visiting a malicious page or clicking a link. The exploit is simple and well-documented in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Implement workarounds and consider upgrading to a newer version if available from the vendor.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to all state-changing requests and photo access endpoints

Implement unique per-session CSRF tokens in all forms and AJAX requests
Validate tokens server-side before processing requests

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

Set-Cookie: sessionid=xxx; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF patterns
Restrict access to the vulnerable endpoints using network segmentation or IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Test if photo access endpoints (/gmis/(S(*))/student/grgl/PotoImageShow/?bh=*) accept requests without valid CSRF tokens when initiated from external sites

Check Version:

Check application version in admin panel or configuration files (typically shows 'GMIS 5.0')

Verify Fix Applied:

Verify that all photo access endpoints require and validate CSRF tokens, and that SameSite cookie attributes are properly set

📡 Detection & Monitoring

Log Indicators:

Multiple photo access requests from same session with different student IDs
Photo access requests without referrer headers or with external referrers

Network Indicators:

External domains making requests to /gmis/*/student/grgl/PotoImageShow/ endpoints
Rapid sequential access to different student photo URLs

SIEM Query:

source="web_logs" AND uri="/gmis/*/student/grgl/PotoImageShow/" AND (referrer="" OR NOT referrer CONTAINS "yourdomain.com")

📊 Metadata

CVE ID: CVE-2021-37381

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: August 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/caiteli/poc_information/blob/main/southsoft_GMIS.txt Exploit,Third Party Advisory
https://github.com/caiteli/poc_information/issues/1 Third Party Advisory
https://github.com/caiteli/poc_information/blob/main/southsoft_GMIS.txt Exploit,Third Party Advisory
https://github.com/caiteli/poc_information/issues/1 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37381, you might also want to check these: