CVE-2022-34021: CVE-ID: CVE-2022-34021

Multiple Cross Site Scripting (XSS) vulnerabilities in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via the form fields.

Upon entering text such as “<script>alert(1)</script>” in form fields, the application stores them and renders them as JavaScript code instead of text.

E.g., XSS in Node Name (test<img src=# onerror=alert(1)>)

References:

https://www.resiot.io/en/changelog/ (Patched Version: 4.1.1000118, Release Date: 31/08/2022)

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html