Reporter Denis Kolegov
`SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.
Input validation and output escaping mechanisms are missing for CLI
interface. Stored XSS is possible. By exploiting that vulnerability an
attacker can obtain sensitive information (e.g., private key) or modify a
remote routeras SSL certificate fingerprint employed in VPN tunneling.
There are two management interfaces in the Viprinet system. One of them is
a CLI which is available via 127.0.0.1:5111. And the second one is a Web
There is an access control mechanism which allows to add an user and give
him a privilege to write or read to some sections of the app (sections
like: ADMINRIGHTS, QOSTEMPLATES, etc.).
Steps to Reproduce:
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.
2. The user should have access to the CLI and Web Interface.
3. Add a new ITEM in the TRAFFICRULES section.
4. Using CLI, the added user with minimal privileges could set Name for
created ITEM to <svg/onload=alert(ViprinetSessionId)>
5. If the root user logs in, an alert window with sessionID will be shown.
It should be noted, that passing a session ID in URL as a mitigation
technique (actively used by Viprinet) does not work here.
The same report was sent to Viprinet in September 2018.
SD-WAN New Hope Team.