CVE-2024-36523
📋 TL;DR
An access control vulnerability in Wvp GB28181 Pro 2.0 allows users to maintain access to application data after their accounts (including administrator accounts) have been deleted, as long as they remain logged in. This affects all users of the vulnerable software version who have active sessions when account deletion occurs.
💻 Affected Systems
- Wvp GB28181 Pro
📦 What is this software?
Gb28181 by Wvp Pro
⚠️ Risk & Real-World Impact
Worst Case
A deleted administrator could maintain full privileged access indefinitely, potentially accessing sensitive data, modifying configurations, or creating new accounts.
Likely Case
Users continue accessing their own data after account deletion, leading to data integrity issues and unauthorized access to information that should be inaccessible.
If Mitigated
With proper session management and access control validation, users would be immediately logged out upon account deletion.
🎯 Exploit Status
Exploitation requires an authenticated session and knowledge that account deletion occurred. No special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/648540858/wvp-GB28181-pro/issues/1456
Restart Required: No
Instructions:
Check GitHub repository for updates. If patched, update to latest version. No specific patch available as of analysis.
🔧 Temporary Workarounds
Force session termination on account deletion
allModify application logic to invalidate all active sessions when an account is deleted
Manual code modification required - implement session cleanup in account deletion function
Implement session timeout
allSet aggressive session timeouts to limit window of vulnerability
Configure session timeout in application settings (typically in configuration files)
🧯 If You Can't Patch
- Manually terminate all active sessions after account deletion through administrative interface
- Implement network-level access controls to restrict access to application for deleted users
🔍 How to Verify
Check if Vulnerable:
1. Create test account and log in. 2. Delete account while maintaining session. 3. Attempt to access application features - if successful, vulnerable.Check Version:
Check application version in web interface or configuration filesVerify Fix Applied:
Repeat vulnerability test - after account deletion, session should be terminated and access denied.📡 Detection & Monitoring
Log Indicators:
- Successful authentication/logins from deleted user accounts
- Access attempts after account deletion timestamps
Network Indicators:
- HTTP requests with session cookies for deleted users
SIEM Query:
auth_success AND (user_account_status=deleted OR user_deletion_time < event_time)