The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition. | |
| Title | ST Engineering iDirect iQ-Series Terminals Cross-Site request forgery | |
| Weaknesses | CWE-352 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: icscert
Published:
Updated: 2026-07-10T17:00:34.681Z
Reserved: 2026-04-06T08:25:37.731Z
Link: CVE-2026-38057
Updated: 2026-07-10T16:22:09.078Z
No data.
No data.
OpenCVE Enrichment
No data.