Ubiquiti Networks: Reflected XSS

ID H1:304175
Type hackerone
Reporter aidantwoods
Modified 2018-09-25T13:06:22


Due to the lack of sanitisation in the commend area, with a especially crafted message, is possible to execute a XSS with the "preview" function. If a draft is save, is possible to exploit this bug using as and stored-XSS. The "New Discussion" page on the Spanish and Portuguese forums have a feature in which a user may leave a HTML comment. The post itself will not yield XSS, but the comment prior to sanitisation would be rendered on the page before posting. An attacker may exploit this via GET variables to yield a reflected XSS. They may escalate this to a stored XSS with their scripting privileges by saving a payload as a draft. This attack may be initiated directly by linking a logged in user to one of these pages, or indirectly by abusing the domain trust from a validated redirect, e.g. a post-login redirect elsewhere on the *.ubnt.com origin.