cbcvebase.
CVE-2024-56902
published 2025-02-03

CVE-2024-56902: Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
21.32%
97.3th percentile
Information disclosure vulnerability in Geovision GV-ASManager web application with the version v6.1.0.0 or less, which discloses account information, including cleartext password.

Detection & IOCsextracted from sources · hover to see the quote

url/ASWeb/bin/ASWebCommon.srf
path/ASWeb/bin/ASWebCommon.srf
cookieGvWebUser|3d|
commandaction=UA_GetAllUserAccount&node=xnode-98
snort
ET WEB_SPECIFIC_APPS GeoVision GV-ASManager <v6.1.0.0 Information Disclosure (CVE-2024-56902); flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ASWeb/bin/ASWebCommon.srf"; fast_pattern; http.cookie; content:"GvWebUser|3d|"; http.request_body; content:"action|3d|UA|5f|"; reference:url,github.com/DRAGOWN/CVE-2024-56902; reference:cve,2024-56902; classtype:web-application-attack; sid:2061365; rev:1;
  • Detect POST requests to /ASWeb/bin/ASWebCommon.srf with a body containing 'action=UA_' — this is the exploit endpoint used to enumerate and retrieve cleartext account credentials from GV-ASManager.
  • The specific POST body parameter 'action=UA_GetAllUserAccount' triggers the information disclosure, returning all user accounts including cleartext passwords.
  • The Guest account is enabled by default with an empty password (Username: Guest; Password: [empty]) and can be used to authenticate and trigger the vulnerability.
  • Use the Google Dork 'inurl:"ASWeb/Login"' to identify publicly exposed GV-ASManager instances on the internet.
  • The X-Requested-With: XMLHttpRequest header is present in exploit requests; correlate with POST to /ASWeb/bin/ASWebCommon.srf for higher-fidelity detection.
  • ·The vulnerability affects GV-ASManager v6.1.0.0 and earlier; the CSRF chain (CVE-2024-56901/56903) affects v6.1.1.0 and earlier. Ensure version scoping is correct when applying detections.
  • ·The Snort/ET rule (sid:2061365) uses the cookie content 'GvWebUser|3d|' as a key filter; ensure your inspection engine decodes URL-encoded cookie values or adjust the pattern accordingly.
  • ·CVE-2024-56902 is commonly chained with CVE-2024-56901 (CSRF account creation) and CVE-2024-56903 (GET method bypass) and CVE-2024-56898 (broken access control); detections for this CVE alone may miss the full attack chain.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.