CVE-2021-47723
📋 TL;DR
CVE-2021-47723 is a cross-site request forgery vulnerability in STVS ProVision 5.9.10 that allows attackers to create new administrative users by tricking authenticated administrators into visiting malicious websites. This affects all organizations using STVS ProVision 5.9.10 with administrative interfaces accessible via web browsers.
💻 Affected Systems
- STVS ProVision
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the STVS ProVision system, allowing them to create backdoor accounts, modify configurations, access sensitive data, and potentially pivot to other systems.
Likely Case
Attackers create persistent administrative accounts to maintain access, potentially leading to data theft, system manipulation, or further exploitation.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to denial of service or minor configuration changes if exploited.
🎯 Exploit Status
Exploit requires social engineering to trick authenticated admin into visiting malicious site. Public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://www.stvs.ch
Restart Required: No
Instructions:
1. Check vendor website for updates
2. Apply any available patches
3. Verify CSRF protections are implemented
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all state-changing requests in the application
Application-specific implementation required
SameSite Cookie Attribute
allSet SameSite=Strict or SameSite=Lax attributes on session cookies
Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Segment administrative interfaces to internal networks only
- Implement web application firewall rules to block CSRF patterns
🔍 How to Verify
Check if Vulnerable:
Test if admin user creation endpoints lack CSRF tokens by inspecting HTTP requestsCheck Version:
Check application version in admin interface or configuration filesVerify Fix Applied:
Verify that all state-changing requests include validated CSRF tokens📡 Detection & Monitoring
Log Indicators:
- Multiple admin user creation attempts from same session
- Admin user creation from unexpected IP addresses
Network Indicators:
- HTTP POST requests to admin creation endpoints without referrer headers or CSRF tokens
SIEM Query:
source="provision_logs" AND (event="user_created" OR event="admin_added") AND user_agent CONTAINS "malicious"