CVE-2023-36081

Description

Stored Cross-Site Scripting vulnerability in GatesAIr Flexiva FM Transmitter/Exciter v.FAX 150W leads to execute JS arbitrary code and application lockout via a crafted script to the web application dashboard.

Discoverer: Eslam Kamal (Strik3r)

Vendor of Product: GatesAIr

Affected Product: FM Transmitter/Exciter v.FAX 150W

Introduction

Stored Cross-site Scripting (XSS) is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use.

Details

During the test, we found that the "System Service Settings" endpoint's input field doesn't check or validate the input before processing it to the back-end which leads to Stored-XSS and also leads to Lockout the whole Application to all users.

If we tried to inject any XSS payloads within all of these fields the Front-end will prevent us of doing that as shown below:

So, to bypass the Front-end restriction we will use BurpSuit to capture this update request and send our Malformed payload to the back-end:

As you can see above our payload send successfully to the back-end, and will notice that our payload fired at the whole application, Because we injected this payload at the device Title. and because this is shown within the Application, the payload will always work when entering the application.

What also happened with this payload injected into the application back-end is that other fields within the application's data were affected with the same payload and malformed the back-end "HTML" (Server Version)

This warning will keep all legitimate users out of the applications because of the malformed HTML the application won`t be able to load normally.

to verify this, you can notice that at the /json endpoint the "htmlGUIVersion" has been infected with our XSS payload as well as the "pagetitle"