Real Time Automation 460MCBS 5.2.14 Cross Site Scripting

2023.03.12

Credit: Yehia Elghaly

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Exploit Title:  Real Time Automation 460MCBS Cross Site Scripting (XSS)
Date: 2023-03-09
Exploit Author: Yehia Elghaly
Vendor Homepage: https://www.rtautomation.com/
Software Link: https://www.rtautomation.com/product/460mcbs/
Version: Revision 5.2.14
Tested on: Real Time Automation 
CVE: N/A


Summary: The Real Time Automation  460MCBS moves data between up to 32 Modbus TCP Servers and a BACnet/IP Building Automation System (BAS). It’s a perfect tool to tie Modbus TCP power meters, boilers, chillers and other devices into your BACnet/IP Building Automation System

Description: The attacker can able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.: XSS found on when insert a payload after(/)

Payload: ?c12yy<script>alert('XSSYF')</script>p1ax8=1

[Affected Component]
(/)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Real Time Automation 460MCBS 5.2.14 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.