Thursday, January 30, 2020

[SYROTECH] Stored Cross-Site Scripting (Authenticated) in SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116 devices

Syrotech is a company based on India, that manufactures compatible optical transceivers, GPON/EPON, networking switches, CATV equipment, FTTH passive products, testing equipment and accessories.

 More Info:

 The tested device was SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116+

 After logging in with the default credentials of admin:admin I've noticed that in the Security tab at the WAN ACL sub-menu is possible to inject arbitrary Javascript code in the URL field

After saving the  URL automatically pops the alertbox




1 comentarios: