GHSA-39r6-f6c2-xh29HighCVSS 8.1

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after...

Published
July 10, 2026
Last Modified
July 10, 2026

🔗 CVE IDs covered (1)

📋 Description

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.

🔗 References (5)