Description of vulnerability:
The web interface allows users to perform certain actions via HTTP requests without performing validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Ecessa plans to fix this vulnerability in software release 10.7.5 which is currently under development. This advisory will be updated when 10.7.5 is released. In the meantime, following these best practices mitigates the risk of CSRF vulnerabilities in all browser based applications:
- Logoff immediately after using a Web application
- Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login
- Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).