WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)

vendor:

WhatsUp Gold 2022

by:

Andreas Finstad

5.1

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: WhatsUp Gold 2022

Affected Version From: WhatsUp Gold 2022 (v.22.1.0 Build 39)

Affected Version To: WhatsUp Gold 2022 (v.22.1.0 Build 39)

Patch Exists: NO

Related CWE: CVE-2023-35759

CPE: a:whatsupgold:whatsup_gold:22.1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 2022 Server

2023

WhatsUpGold 22.1.0 – Stored Cross-Site Scripting (XSS)

WhatsUp Gold 2022 (v.22.1.0 Build 39) is susceptible to a stored cross-site scripting (XSS) attack via the sysName SNMP parameter. An attacker can insert malicious scripts into the admin console by manipulating the SNMP device name. Once saved, the injected code executes in the admin user's context, potentially leading to data theft or unauthorized activities. This exploit can create a Powershell reverse shell connecting to the attacker at intervals.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input to prevent script injection. Additionally, implementing CSRF tokens or Content Security Policy (CSP) can help protect against XSS attacks.

Source

WhatsUpGold 22.1.0 – Stored Cross-Site Scripting (XSS)

Mitigation:

Exploit-DB raw data: