Tuesday, February 11, 2020

[Ericsson] - Multiple Stored & Reflected XSS

Ericsson RX8200 devices are vulnerable to multiple  reflected and stored XSS
Affected Devices:

  • RX8200 - Version  5.13.3

XSS Reflected:

Injecting javascript code into the "path" parameter in any of the menus in the URL using GET or POST we get a reflected xss

We also found another one in the "Service + ID" Parameter

Stored XSS:

Injecting the javascript code in the name of the devices, and then refreshing the page we can see how the XSS sotored is executed

CVE: CVE-2020-22158
By: @Linuxmonr4