Ubiquiti Inc.: Local File Disclosure (+XSS+CSRF) in AirOS 6.2.0 devices

There are certain end-points containing functionalities that are vulnerable to reflected cross site scripting (XSS), allowing attackers to abuse the user’ session information and/or account takeover of the admin user. Authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.
These vulnerabilities were found on AirMax AirMax AirOS v6.2.0 and prior versions for TI, XW and XM boards.

The fix for these vulnerabilities were included in the new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards.
For more details please visit:
https://community.ui.com/releases/airMAX-M-v6-3-0/c8d5dec9-4030-4d7e-b23f-6a5b35ed3d83

https://www.ui.com/download/airmax-m