CNVD-2023-72138 Scanner

LiveGBS is a software solution used for live broadcast streaming management. It is often deployed by digital broadcasting companies, educational platforms, and online conferencing providers to manage and deliver video content live over the internet. Users across various industries rely on LiveGBS to ensure stable and efficient content delivery. The software handles user management, content streaming, and bandwidth regulation. Its robust architecture supports multiple concurrent streams, making it a convenient choice for large-scale events. However, vulnerabilities in the software could impact its integrity, leading to operational concerns for broadcasters.

The vulnerability identified in LiveGBS revolves around a logical flaw in user management processes. Unauthenticated attackers can exploit it to create new accounts with administrative privileges. This oversight arises from inadequate validation checks within the user management endpoint, allowing arbitrary modification of accounts. The flaw can lead to unauthorized access and control over backend services, posing significant risks to the security of transmitted data. Given its severity, timely resolution of this vulnerability is critical to maintaining user trust and service integrity.

The technical details of the vulnerability involve manipulating the "user/save" endpoint. The vulnerability is rooted in insufficient authentication checks, allowing attackers to craft requests that can add or possibly modify user roles with administrative rights. The absence of proper authorization checks when accessing this endpoint results in arbitrary user creation. The vulnerable parameter is the "Role" field, where malicious actors can inject their desired role level. This can lead to unauthorized administrative access and potential downstream effects on the service's operation.

If exploited, the vulnerability in LiveGBS could result in severe implications such as unauthorized access to sensitive information, data loss, and service interruptions. Attackers could gain complete control over user accounts, enabling them to alter system configurations or delete critical information. This could lead to significant disruption for entities relying on LiveGBS for broadcast management. Further, information leakage to unauthorized parties may result in compliance and reputational damage to the affected providers. Immediate action is necessary to mitigate these risks and protect systems utilizing this software.