Stored Cross-Site Scripting in Solar-Log 200 3.6.0 Web Panel

vendor:

Solar-Log 200

by:

Vincent McRae, Mesut Cetin

4.1

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Solar-Log 200

Affected Version From: Solar-Log 200 PM+ 3.6.0 Build 99

Affected Version To: Solar-Log 200 PM+ 3.6.0 Build 99

Patch Exists: NO

Related CWE: CVE-2023-46344

CPE: a:solar-log:solar-log_200_pm+:3.6.0:build_99

Metasploit: https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-46344/

Other Scripts:

Platforms Tested: Proprietary devices

2023

Stored Cross-Site Scripting in Solar-Log 200 3.6.0 Web Panel

The Solar-Log 200 PM+ 3.6.0 Build 99 web panel is vulnerable to a stored cross-site scripting (XSS) attack. By modifying the name field in the Smart Energy configuration and inserting malicious script code like <xss onmouseenter="alert(document.cookie)" style=display:block>test</xss>, an attacker can trigger the execution of arbitrary scripts in the context of the victim's session. This could potentially lead to the theft of sensitive information such as cookies when a privileged user interacts with the manipulated element.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input to prevent the execution of malicious scripts. Additionally, input fields should be properly encoded to prevent script injection.

Source

Stored Cross-Site Scripting in Solar-Log 200 3.6.0 Web Panel

Mitigation:

Exploit-DB raw data: