Viprinet VPN Hub Router Cross Site Scripting

Type packetstorm
Reporter Denis Kolegov
Modified 2018-10-19T00:00:00


                                            `SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.  
Input validation and output escaping mechanisms are missing for CLI  
interface. Stored XSS is possible. By exploiting that vulnerability an  
attacker can obtain sensitive information (e.g., private key) or modify a  
remote routeras SSL certificate fingerprint employed in VPN tunneling.  
Vulnerability Description:  
There are two management interfaces in the Viprinet system. One of them is  
a CLI which is available via And the second one is a Web  
There is an access control mechanism which allows to add an user and give  
him a privilege to write or read to some sections of the app (sections  
Steps to Reproduce:  
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.  
2. The user should have access to the CLI and Web Interface.  
3. Add a new ITEM in the TRAFFICRULES section.  
4. Using CLI, the added user with minimal privileges could set Name for  
created ITEM to <svg/onload=alert(ViprinetSessionId)>  
5. If the root user logs in, an alert window with sessionID will be shown.  
It should be noted, that passing a session ID in URL as a mitigation  
technique (actively used by Viprinet) does not work here.  
The same report was sent to Viprinet in September 2018.  
SD-WAN New Hope Team.