Genexis Platinum-4410 P4410-V2-1.31A – ‘start_addr’ Persistent Cross-Site Scripting – Digitalmunition




Exploit/Advisories spider-orange.png

Published on March 25th, 2021 📆 | 8170 Views ⚑

0

Genexis Platinum-4410 P4410-V2-1.31A – ‘start_addr’ Persistent Cross-Site Scripting

# Exploit Title: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting
# Date: 03/25/2020
# Exploit Author: Jithin KS
# Vendor Homepage: https://www.gxgroup.eu/ont-products/
# Version: Platinum-4410 Software version - P4410-V2-1.31A
# Tested on: Windows 10
# Author Contact: hhttps://twitter.com/jithinks_8

Vulnerability Details
======================
Genexis Platinum-4410 Home Gateway Unit is vulnerable to stored XSS in the "start_addr" parameter. This could allow attackers to perform malicious action in which the XSS popup will affect all privileged users.

How to reproduce
===================
1. Login to the firmware as any user
2. Navigate to Manage tab--> Security Management
3. Enter any valid value in Start Source Address and fill all other fields. Click Add.
4. Capture this request in Burp Suite. Enter payload  in "start_addr" text box and forward the request.
5. Relogin as any user and again navigate to Manage tab--> Security Management
6. Observe the XSS popup showing persistent XSS
            


Source link

Tagged with:



Leave a Reply