Kaa IoT Platform 1.2.0 Cross Site Scripting

2020.11.16

Credit: Mufaddal Masalawala

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2020-26701

CWE: CWE-79

#Exploit Title: Kaa IoT Platform 1.2.0 Cross Site Scripting (XSS)
Vulnerability
#Date: 2020-10-01
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.kaaproject.org/
#Software Link: https://cloud.kaaiot.com/
#Version: 1.2.0
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-26701
#Proof Of Concept:
Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT
Platform v1.2.0 allows remote attackers to inject malicious web scripts or
HTML Injection payloads via the Description parameter.
To exploit this vulnerability:
1. Open Firefox browser, login to the cloud.kaaiot.com and access the
dashboard
2. Go to 'Solutions' module, select any one solution(create if not
present) and click on it.
3. Now in the Dashboards module, edit the Dashboard.
4. in Description, enter the payload <img src="x"
onerror="alert(window.location)" /> and click 'Update'.
5. Open that Dashboard and you'll receive an alert executing user
supplied script in the browser.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Kaa IoT Platform 1.2.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.