Thursday, January 30, 2020

[SYROTECH] Stored Cross-Site Scripting (Authenticated) in SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116 devices

Syrotech is a company based on India, that manufactures compatible optical transceivers, GPON/EPON, networking switches, CATV equipment, FTTH passive products, testing equipment and accessories.

 More Info: https://www.syrotech.com/About-us.html

 The tested device was SYROTECH SY-GOPON-1000-2WONU V2.1.7_X116+



 After logging in with the default credentials of admin:admin I've noticed that in the Security tab at the WAN ACL sub-menu is possible to inject arbitrary Javascript code in the URL field





After saving the  URL automatically pops the alertbox



@xpl0ited1

xploited

Autor

1 comentarios:

 
biz.