Skip to content

Instantly share code, notes, and snippets.

@win3zz
Last active November 6, 2023 18:33
Show Gist options
  • Save win3zz/c7eda501edcf5383df32fabe00938d13 to your computer and use it in GitHub Desktop.
Save win3zz/c7eda501edcf5383df32fabe00938d13 to your computer and use it in GitHub Desktop.

CVE-2023-43260

Reflected Cross-Site Scripting (XSS) and Absent HttpOnly Flag in Ursalink Industrial Cellular Router Admin Panel Leads to Account Takeover

Vulnerability Details

Cross-Site Scripting (XSS) and Absent HttpOnly Flag vulnerabilities in Ursalink Industrial Cellular Router admin panel could allow remote attackers to execute arbitrary scripts and hijack user sessions, potentially leading to account takeover.

The admin panel does not properly validate and sanitize user inputs, allowing malicious scripts to be injected into the page's content. The "td" session cookie lacks the HttpOnly flag (and also Secure Flag), enabling client-side scripts to access it, leading to session hijacking and unauthorized access. Attackers can steal sensitive information, impersonate users, or perform unauthorized actions.

  • Affected Products: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Routers could also be vulnerable.
  • Affected Firmware: All including Latest v35.3.0.7
  • Vulnerability Type (CWEs):
    1. Improper Neutralization of Input During Web Page Generation ['Cross-site Scripting'] (CWE-79)
    2. Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004)
    3. Sensitive Cookie in HTTPS Session Without 'Secure' Flag (CWE-614)
  • Severity: Medium (CVSS 4.5/10), Vector String - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • Vendor of the product: Milesight (Formerly Xiamen Ursalink Technology Co., Ltd.)
  • Credits/Reported By: Bipin Jitiya (@win3zz)

Proof of Concept (PoC)

  • When any input provided after "/cgi-bin/" in the URL is echoed back without proper output encoding.
  • Access the Ursalink Industrial Cellular Router admin panel, and modify the URL to inject a malicious script/payload, e.g.: /cgi-bin/any?param=<script>alert(document.cookie)</script>.
  • Observe the executed payload in the browser, confirming the presence of the XSS vulnerability.

Screenshot 2023-08-16 173342 - Copy

  • Also, observe the login response in the Burp Repeater tool showing the "Set-Cookie" header without the HttpOnly and Secure flags.

Screenshot 2023-08-07 202319 - Copy

Disclosure Timeline

  • August 22, 2023: Initial vendor notification regarding the vulnerability.
  • August 31, 2023: Received response from Milesight, expressing appreciation for the report and agreeing that the identified issues can be improved in future updates.
  • September 12, 2023: Requested for CVE-ID
  • September 26, 2023: CVE-2023-43260 assigned
  • September 28, 2023: Notified the company about public disclosure
  • October 5, 2023: Public disclosure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment