Exploit: XSS & Html code injection in Micronet SP1910 data access controller UI

vendor:

SP1910 Network Access Controller

by:

K053

8.8

CVSS

HIGH

XSS & Html code injection

CWE

Product Name: SP1910 Network Access Controller

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: a:micronet:sp1910_network_access_controller

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Private Networks

2009

Exploit: XSS & Html code injection in Micronet SP1910 data access controller UI

Micronet SP1910 Network Access Controller is vulnerable to XSS and HTML code injection attacks. An attacker can inject malicious code into the UI of the controller, which can be used to steal user credentials and disconnect them from the network.

Mitigation:

The user should ensure that all input is validated and sanitized before being used in the application.

Source

Exploit-DB raw data:

# Exploit: XSS & Html code injection in Micronet SP1910 data access controller UI
# Date: 27-11-2009
# Author: K053
# Vendor: http://www.micronet.info/model_detail.aspx?series_no=6&sno=472
# Tested on : Private Networks

------------------------------------------------------------------------------------
Note :

Micronet introduces an exciting new product—SP1910 Network Access Controller. It is 
specially designed for secure wired and wireless network environments of small or 
medium companies. Micronet UI is vulnerable to xss attack .

Attacker able to steal users credential and disconnect them .

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-

POC :

you can spot xss any page , 

http://server/loginpages/error_user.shtml?uname=userid&msg=<script>alert('xss')</script>