CVE-2020-24033

Published: Oct 22, 2020Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.

Affected (1)

Products: Fs: S3900 24t4s Firmware

1 product

S3900 24t4s Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fs S3900 24t4s Firmware	Up to 1.7.0

Running on/with	Platform Versions
Fs S3900 24t4s	All versions

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://github.com/M0NsTeRRR/CVE-2020-24033

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/M0NsTeRRR/S3900-24T4S-CSRF-vulnerability

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/M0NsTeRRR/CVE-2020-24033

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/M0NsTeRRR/S3900-24T4S-CSRF-vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.