CVE-2024-28141

The Image Access Scan2Net web application is vulnerable to cross-site request forgery (CSRF) because it does not implement anti-forgery tokens or other validation mechanisms. This allows an attacker to craft malicious requests that appear legitimate to the server, exploiting the trust the application has in an authenticated user's browser [1].

An attacker can host a malicious website or send a crafted link that, when visited by an authenticated user, triggers a request to the Scan2Net web interface. The attacker does not need to authenticate; they rely on the victim's active session. For example, an attacker can forge a request to reset the administrator's password or create a new user account, as described in the advisory [1].

Successful exploitation of this CSRF vulnerability enables an attacker to gain administrative control over the scanner device. This could lead to further compromise of the device and potentially the network it is connected to, as the attacker could then leverage other vulnerabilities or access sensitive data [1].

The vendor has addressed this issue in firmware version 7.42B. Users are strongly advised to update their Scan2Net devices to this version to mitigate the risk. No workarounds are mentioned in the advisory [1].