Sunday, January 26, 2020

[ITERIS] - Vantage Velocity Field Unit - Multiple Stored XSS vulnerabilities - (CVE-2020-9025)

I continue with the research on ITERIS devices, in this case on the same "Vantage Velocity Field Unit". This time, I started placing some requests by injecting one or another javascript code to see what was coming out.

I found that in the "" function that I only found in version 2.4.2 devices, I can inject malicious code into several of its parameters and can do XSS attacks. The most interesting thing is that the XSS that was found is stored, which makes it even better. In addition, on this function, there is a button called "Star Data Viewver", which is the one I used for the XSS. however , in the request sent the credentials of the admin of the device are shown, which at no time I have used, since the device does not ask for passwords, which I found curious.

First of all we go to the URL "http://SERVER_IP:8089/cgi-bin/"

Once there, we click on "Star Data Viewver" and capture the request.

We inject the "Javascript" code in any of the parameters of the request, since all are vulnerable.

The attack will be reflected in the following URLs once the request is sent with the modified javascript code


Affected Version: 2.4.2
Affected Parameters:
  1. htmlBluetoothReaderId
  2. htmlDataOutputFile
  3. htmlMacAddressResendTimeSeconds
  4. htmlSelectEnableUdpOutput
  5. htmlUdpOutputHost
  6. htmlUdpOutputPort
  7. htmlSelectRestartOnCommFailure
  8. htmlSelectAnonymizeMacAddresses
  9. htmlWifiChannelScan
  10. htmlSelectEnableHeartbeatMessage
  11. htmlSelectEnableBluetoothCapture
  12. htmlSelectEnableWifiCapture
  13. htmlAuthenticate
  14. htmlLogin
  15. htmlPassword
  16. htmlLoggedIn
So I will go for each of the affected parameters.
  • HtmlBluetoothReaderId

  • HtmlDataOutputFile

  • HtmlMacAddressResendTimeSeconds 

  • HtmlSelectEnableUdpOutput 

  • HtmlUdpOutputHost

  • HtmlUdpOutputPort 

  • HtmlSelectRestartOnCommFailure 

  • HtmlSelectAnonymizeMacAddresses 

  • HtmlWifiChannelScan

  • HtmlSelectEnableHeartbeatMessage 

  • HtmlSelectEnableBluetoothCapture 

  • HtmlSelectEnableWifiCapture 

  • HtmlAuthenticate

  • HtmlLogin 

  • HtmlPassword 

  • HtmlLoggedIn 

By: @Linuxmonr4



0 comentarios:

Post a Comment