header-logo
Suggest Exploit
vendor:
Logitech Media Server
by:
Mert Das
8.8
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: Logitech Media Server
Affected Version From: 8.2.2000
Affected Version To: 8.2.2000
Patch Exists: NO
Related CWE:
CPE: a:logitech:logitech_media_server:8.2.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Linux
2021

Logitech Media Server 8.2.0 – ‘Title’ Cross-Site Scripting (XSS)

Logitech Media Server 8.2.0 is vulnerable to Cross-Site Scripting (XSS) in the 'Title' field. An attacker can inject malicious JavaScript code into the 'Title' field, which will be executed when the page is loaded. The payload used in the proof-of-concept is '><img src=1 onerror=alert(1)>', which will cause an alert box to be displayed when the page is loaded.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the 'Title' field.
Source

Exploit-DB raw data:

# Exploit Title: Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)
# Shodan Dork: Search Logitech Media Server
# Date: 12.10.2021
# Exploit Author: Mert Das
# Vendor Homepage: www.logitech.com
# Version: 8.2.0
# Tested on: Windows 10, Linux

POC:

1. Go to Settings / Interface tab
2. Add payload to Title section
3. Payload : "><img src=1 onerror=alert(1)>
4. Alert will popup

Navigation

Suggest Exploit

Services By CQR