CVE-2024-36523 identifies an access control vulnerability in Wvp GB28181 Pro 2.0, a video management platform implementing the GB28181 protocol commonly used in surveillance systems. The issue stems from improper session management: when a user deletes their own or an administrator account, the application does not invalidate the active session or access tokens associated with that account. As a result, the user can continue to access sensitive information within the application until they explicitly log out. This flaw corresponds to CWE-613 (Insufficient Session Expiration). The vulnerability requires network access and low privileges (PR:L) but no user interaction, making it relatively straightforward to exploit if an attacker has valid credentials. The CVSS v3.1 score of 6.5 reflects a medium severity due to the high confidentiality impact (unauthorized data access) but no impact on integrity or availability. No patches or fixes have been released at the time of publication, and no known exploits have been reported in the wild. This vulnerability highlights a critical gap in session and access token lifecycle management, which is essential for secure account deletion and access revocation in multi-user applications.

The primary impact of this vulnerability is unauthorized access to sensitive information within the Wvp GB28181 Pro 2.0 application after account deletion. Attackers or users who delete their accounts but maintain active sessions can continue to view or extract confidential data, potentially including video feeds, user information, or system configurations. This compromises confidentiality and could lead to data leakage or privacy violations. Since the vulnerability does not affect data integrity or system availability, the risk is limited to information exposure. However, given the use of GB28181 in surveillance and security systems, unauthorized access could have serious operational and privacy consequences. Organizations relying on this software for critical monitoring or security functions may face compliance issues and reputational damage if sensitive data is exposed. The lack of patches and known exploits suggests the threat is currently theoretical but could become practical if attackers develop exploits or insiders abuse the flaw.

Until an official patch is released, organizations should implement several specific mitigations: 1) Enforce immediate session termination upon account deletion by manually invalidating active sessions or tokens through administrative controls or backend database operations. 2) Restrict account deletion privileges to highly trusted administrators to minimize the risk of abuse. 3) Implement monitoring and alerting for unusual access patterns from accounts marked for deletion. 4) Encourage users to log out immediately after deleting accounts to prevent continued access. 5) Review and enhance session management policies to ensure tokens are invalidated on account status changes. 6) If possible, deploy network-level access controls to limit exposure of the application to trusted networks only. 7) Stay alert for vendor updates or patches addressing this vulnerability and apply them promptly. These measures go beyond generic advice by focusing on session lifecycle management and administrative controls specific to this vulnerability.