CVE-2018-15206

Vulnerability

BPC SmartVista 2, specifically the SVFE2 (SmartVista Front-End version 2) module, is vulnerable to Cross-Site Request Forgery (CSRF) via the createrole.jsf page at /SVFE2/pages/admpages/roles/createrole.jsf [1]. The application does not include anti-CSRF tokens, allowing an attacker to forge malicious HTTP requests that are automatically submitted by an authenticated victim's browser. The vulnerability affects all instances running SmartVista 2 with the SVFE2 component [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTML page containing a form that automatically submits a POST request to the vulnerable endpoint. The form includes hidden input fields for role name, description, and other parameters, such as UserForm_rolename and UserForm_descr [1]. The attacker then tricks an authenticated administrator into visiting the malicious page, typically via phishing or social engineering. The victim must have an active session on the SmartVista 2 application for the attack to succeed. No additional authentication or privileges are required beyond the victim's existing session [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions on behalf of an authenticated administrator. Specifically, the attacker can create new roles within the SmartVista application [1]. This can lead to privilege escalation if the attacker can assign excessive permissions to the created role. The impact includes potential information disclosure, data modification, or further compromise of the payment infrastructure, as roles control access to sensitive functions. The CVSS score is not provided in the references, but the attack type is remote and the impact on confidentiality, integrity, and availability is considered high due to the nature of the application [1].

Mitigation

As of the publication date (2019-04-30), BPC Group had not released a patch for this vulnerability. The vendor was notified on 17 June 2018, but no fix was mentioned in the disclosure timeline [1]. Mitigation should include implementing proper CSRF tokens on all state-changing requests, particularly the createrole.jsf page. Administrators should also restrict access to the SVFE2 interface to trusted networks and educate users about phishing risks. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the reference date. Users should monitor vendor updates for a security patch.