Ubiquiti Networks: Unauthenticated Cross-Site Scripting in Web Management Console

ID H1:121941
Type hackerone
Reporter jstjohn
Modified 2017-10-02T14:10:02


The researcher demonstrated that an attacker could exploit an XSS vulnerability on airOS devices by luring a user to attacker-controlled website. For the exploit to work, there must be no previous visits to the device from the same browser (no cookies stored for the device). Fixes have been released with airOS v5.6.15 and airOS v6.0.3.