CVE-2021-47795

Vulnerability

Overview

GeoVision GeoWebServer version 5.3.3 and earlier contain multiple vulnerabilities stemming from improper input sanitization. The core issue resides in the WebStrings.srf endpoint, which does not properly validate or sanitize user-supplied parameters. This allows attackers to inject path traversal sequences and malicious scripts, leading to local file inclusion (LFI), cross-site scripting (XSS), and remote code execution (RCE) [1][2].

Exploitation

Details

Exploitation

Details

Exploitation requires network access to the GeoWebServer web interface. No authentication is needed to reach the vulnerable endpoint. Attackers can craft GET or POST requests to /Visitor/bin/WebStrings.srf with manipulated file or obj_name parameters. For example, a path traversal payload like ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini can read arbitrary system files. Additionally, injecting HTML or JavaScript into the obj_name parameter enables XSS attacks, potentially leading to session theft or further client-side exploitation [2].

Impact

Successful exploitation allows an unauthenticated attacker to read sensitive files from the server (LFI), execute arbitrary JavaScript in the context of a victim's browser (XSS), and potentially achieve remote code execution (RCE) by chaining these vulnerabilities. The vendor has acknowledged the issue but the provided patch was reported as ineffective, leaving all versions up to 5.3.3 vulnerable [2][3].

Mitigation

Status

As of the latest advisories, GeoVision has not released a fully effective patch. Users are advised to restrict network access to the GeoWebServer interface and monitor for future updates from the vendor's security page [1][2].