Ksenia Security Lares 4.0 Home Automation URL Redirection

2025.04.01

Credit: ShadeLock

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Ksenia Security Lares 4.0 Home Automation URL Redirection
# Google Dork: N/A
# Date: 31 March 2025
# Exploit Author: Mencha 'ShadeLock' Isajlovska
# Vendor Homepage: https://www.kseniasecurity.com/en/
# Software Link: 
https://www.kseniasecurity.com/en/company/why-lares-4-0.html
# Version: Lares 4.0
# Tested on: Ksenia Lares Webserver
# CVE : N/A
# Desc: Input passed via the 'redirectPage' GET parameter in 'cmdOk.xml'
script is not properly verified before being used to redirect users.
This can be exploited to redirect an authenticating user to an arbitrary
website e.g. when a user clicks a specially crafted link to the affected
script hosted on a trusted domain.


http://192.168.1.2/xml/cmd/cmdOk.xml?cmd=setMacro&pin=123456&macroId=2&redirectPage=//zeroscience.mk

See this note in RAW Version

Vote for this issue:

100%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Ksenia Security Lares 4.0 Home Automation URL Redirection

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Ksenia Security Lares 4.0 Home Automation URL Redirection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.