Title: Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password
Advisory ID: ZSL-2023-5756
Impact: Security Bypass
Release Date: 28.03.2023
Sielco designs and produces FM radio transmittersfor professional broadcasting. The in-house laboratory developsstandard and customised solutions to meet all needs. Whetherdigital or analogue, each product is studied to ensure reliability,resistance over time and a high standard of safety. Sielcotransmitters are distributed throughout the world and servemany radios in Europe, South America, Africa, Oceania and China.
The application suffers from improper access control whenediting users. A user with Read permissions can manipulate users,passwords and permissions by sending a single HTTP POST requestwith modified parameters and edit other users\’ names, passwordsand permissions including admin password.
Sielco S.r.l – https://www.sielco.org
[26.01.2023] Vulnerability discovered.
[27.01.2023] Contact with the vendor and CSIRT Italia.
[27.03.2023] No response from the vendor.
[27.03.2023] No response from the CSIRT team.
[28.03.2023] Public security advisory released.
Vulnerability discovered by Gjoko Krstic – <firstname.lastname@example.org>
[28.03.2023] – Initial release
Zero Science Lab