Giorgi Dograshvili

**Name of the Vulnerable Software and Affected Versions** Geovision GV-ASWeb versions 6.1.0.0 and earlier **Description** The issue is related to incorrect access control, allowing unauthorized attackers with low-level privileges to manage and create new user accounts by supplying a crafted HTTP request. This can lead to privilege escalation, enabling attackers to gain administrative access. **Recommendations** For Geovision GV-ASWeb versions 6.1.0.0 and earlier, consider restricting access to the web application until a patch is available, and limit the creation of new user accounts to prevent potential exploitation. As a temporary workaround, restrict privileges for guest accounts to minimize the risk of escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Geovision GV-ASWeb versions 6.1.1.0 and earlier **Description** A Cross-Site Request Forgery (CSRF) issue in the Account Management component allows attackers to create admin accounts using a manipulated GET request method. This enables attackers to arbitrarily create Admin accounts. **Recommendations** For Geovision GV-ASWeb versions 6.1.1.0 and earlier, consider disabling the Account Management component until a patch is available to prevent exploitation. Restrict access to the affected component to minimize the risk of arbitrary admin account creation. Avoid using the affected GET request method in the Account Management component until the issue is resolved.