Reflected Cross-Site Scripting (XSS) and Absent HttpOnly Flag in Ursalink Industrial Cellular Router Admin Panel Leads to Account Takeover
Cross-Site Scripting (XSS) and Absent HttpOnly Flag vulnerabilities in Ursalink Industrial Cellular Router admin panel could allow remote attackers to execute arbitrary scripts and hijack user sessions, potentially leading to account takeover.
The admin panel does not properly validate and sanitize user inputs, allowing malicious scripts to be injected into the page's content. The "td" session cookie lacks the HttpOnly flag (and also Secure Flag), enabling client-side scripts to access it, leading to session hijacking and unauthorized access. Attackers can steal sensitive information, impersonate users, or perform unauthorized actions.
- Affected Products: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Routers could also be vulnerable.
- Affected Firmware: All including Latest v35.3.0.7
- Vulnerability Type (CWEs):
- Severity: Medium (CVSS 4.5/10), Vector String - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Vendor of the product: Milesight (Formerly Xiamen Ursalink Technology Co., Ltd.)
- Credits/Reported By: Bipin Jitiya (@win3zz)
- When any input provided after "/cgi-bin/" in the URL is echoed back without proper output encoding.
- Access the Ursalink Industrial Cellular Router admin panel, and modify the URL to inject a malicious script/payload, e.g.: /cgi-bin/any?param=<script>alert(document.cookie)</script>.
- Observe the executed payload in the browser, confirming the presence of the XSS vulnerability.
- Also, observe the login response in the Burp Repeater tool showing the "Set-Cookie" header without the HttpOnly and Secure flags.
- August 22, 2023: Initial vendor notification regarding the vulnerability.
- August 31, 2023: Received response from Milesight, expressing appreciation for the report and agreeing that the identified issues can be improved in future updates.
- September 12, 2023: Requested for CVE-ID
- September 26, 2023: CVE-2023-43260 assigned
- September 28, 2023: Notified the company about public disclosure
- October 5, 2023: Public disclosure