Headline
CVE-2022-38814: Fiberhome AN5506-02-B Cross Site Scripting ≈ Packet Storm
A stored cross-site scripting (XSS) vulnerability in the auth_settings component of FiberHome AN5506-02-B vRP2521 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the sncfg_loid text field.
Change Mirror Download
# Exploit Title: FiberHome - AN5506-02-B - RP2521 - Authenticated Stored XSS# Date: 10/08/2022# Exploit Author: Leonardo Goncalves# Version: Firmware RP25211) Log in the equipment via your web browser2) Go to Network > auth_settings3) In the "sncfg_loid" inject the payload "<script>alert()</script>"4) Click Save5) Exploit!