CVE-2023-47024

HIGH

NCR Terminal Handler 1.5.1 - Cross-Site Request Forgery via WSDL Function

Title source: llm

Description

Cross-Site Request Forgery (CSRF) in NCR Terminal Handler v.1.5.1 leads to a one-click account takeover. This is achieved by exploiting multiple vulnerabilities, including an undisclosed function in the WSDL that has weak security controls and can accept custom content types.

References (2)

Core 2

Core References

Permissions Required

https://docs.google.com/document/d/18EOsFghBsAme0b3Obur8Oc6h5xV9zUCNKyQLw5ERs9Q/edit?usp=sharing

Third Party Advisory

https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47024

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0025

EPSS Percentile 16.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

ncratleos/terminal_handler 1.5.1

Published Jan 20, 2024

Tracked Since Feb 18, 2026