Ubiquiti Networks: Unauthenticated Cross-Site Scripting in Web Management Console

2016-03-10T04:04:39
ID H1:121941
Type hackerone
Reporter jstjohn
Modified 2017-10-02T14:10:02

Description

The researcher demonstrated that an attacker could exploit an XSS vulnerability on airOS devices by luring a user to attacker-controlled website. For the exploit to work, there must be no previous visits to the device from the same browser (no cookies stored for the device). Fixes have been released with airOS v5.6.15 and airOS v6.0.3.