[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. ------------------------------------------ [Additional Information] The default settings make this attack theoretical rather than practical. A lot of interaction takes place between the application and the end user. For correct functioning, it is important to verify that requests coming from the user actually represent the user's intention. The application must therefore be able to distinguish forged requests from legitimate ones. Currently no measures against Cross-Site Request Forgery have been implemented and therefore users can be tricked into submitting requests without their knowledge or consent. From the application's point of view, these requests are legitimate requests from the user and they will be processed as such. This can result in the creation of additional (administrative) user accounts, without the user’s knowledge or consent. In order to execute a CSRF attack, a user must be tricked into visiting an attacker controlled page, using the same browser that is authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye will be used, users are unlikely to (be able to) access such pages simultaneously. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [CVE Impact Other] Full device compromise. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond. Use CVE-2020-11919.