Ubiquiti Inc.: 3x Reflected XSS vectors for services.cgi (XM.v6.1.6, build 32290)

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting (XSS), allowing attackers to abuse the user’ session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.

The fix for these vulnerabilities were included in the new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards.
For more details please visit:
https://community.ui.com/releases/airMAX-M-v6-3-0/c8d5dec9-4030-4d7e-b23f-6a5b35ed3d83

https://www.ui.com/download/airmax-m