CVE-2023-47024

HIGH

Ncratleos Terminal Handler - CSRF

Title source: rule

Description

Cross-Site Request Forgery (CSRF) in NCR Terminal Handler v.1.5.1 leads to a one-click account takeover. This is achieved by exploiting multiple vulnerabilities, including an undisclosed function in the WSDL that has weak security controls and can accept custom content types.

References (2)

Core 2

Core References

Permissions Required

https://docs.google.com/document/d/18EOsFghBsAme0b3Obur8Oc6h5xV9zUCNKyQLw5ERs9Q/edit?usp=sharing

Third Party Advisory

https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47024

View Writeup ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0017

EPSS Percentile 37.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

ncratleos/terminal_handler 1.5.1

Published Jan 20, 2024

Tracked Since Feb 18, 2026