var-202308-2103
Vulnerability from variot
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface. St. P\xf6lten UAS
title| Multiple XSS in Advantech
product| Advantech EKI-1524-CE series, EKI-1522 series,
| EKI-1521 series
vulnerable version| <=1.21 (CVE-2023-4202), <=1.24 (CVE-2023-4203) fixed version| 1.26 CVE number| CVE-2023-4202, CVE-2023-4203 impact| Medium homepage| https://advantech.com found| 2023-05-04 by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder | This vulnerability was discovery during research at | St. P\xf6lten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com
Vendor description
\x93Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.\x94
Source: https://www.advantech.com/en/about
Vulnerable versions
EKI-1524-CE series / 1.21 (CVE-2023-4202) EKI-1522-CE series / 1.21 (CVE-2023-4202) EKI-1521-CE series / 1.21 (CVE-2023-4202)
EKI-1524-CE series / 1.24 (CVE-2023-4203) EKI-1522-CE series / 1.24 (CVE-2023-4203) EKI-1521-CE series / 1.24 (CVE-2023-4203)
Vulnerability overview
1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203) Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the "Device Name" field and the second XSS was found in the "Ping" tool. This can be exploited in the context of a victim's session.
1.1) Stored XSS in Device Name CVE-2023-4202 The first vulnerability can be triggerd by setting the device name ("System->Device Name") to the following value: ">
This code prints out the cached cookies to the screen.
1.2) Stored XSS in Ping Function CVE-2023-4203 The second XSS vulnerability can be found in "Tools->Ping". The following GET request prints the current cached cookies of a user's session to the screen.
http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20&size=56&count=1&interface=eth0&_=1682793104513
An alternative to the used payload is using "onmouseover" event tags. In this case it prints out the number "1337": " onmousemove="alert(1337)"
The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Upgrade to the newest available firmware.
Workaround
None.
Recommendation
Advantech customers are advised to upgrade the firware to the latest available version.
Contact Timeline
2023-05-16: Contacting vendor via security contact. 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue. 2023-05-25: Contact stated that new firmware should resolve the issue. 2023-06-03: Sent new payload to the vendor. 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution. 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues. 2023-06-27: Asked for the release date. 2023-07-04: Contact stated, that they are currently doing QA tests. 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published. 2023-07-17: Assigned CVE numbers for the issues. Asked for an update. 2023-07-18: Vendor contact stated that the firmware will be released end of July. 2023-08-07: Asked contact for the new firmware version. 2023-08-08: Received version 1.26 as the official released firmware with fixes. Coordinated release of security advisory.
Web: https://www.fhstp.ac.at/ Twitter: https://twitter.com/fh_stpoelten Mail: mis at fhstp dot ac dot at
EOF T. Weber / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202308-2103",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.24"
},
{
"model": "eki-1522",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.24"
},
{
"model": "eki-1521",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.24"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber, A. Resanovic, T. Etzenberger, M. Bineder, R. Haas",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
},
"cve": "CVE-2023-4203",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "office@cyberdanube.com",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-4203",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "office@cyberdanube.com",
"id": "CVE-2023-4203",
"trust": 1.0,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface. St. P\\xf6lten UAS\n-------------------------------------------------------------------------------\n title| Multiple XSS in Advantech\n product| Advantech EKI-1524-CE series, EKI-1522 series,\n | EKI-1521 series\n vulnerable version| \u003c=1.21 (CVE-2023-4202), \u003c=1.24 (CVE-2023-4203)\n fixed version| 1.26\n CVE number| CVE-2023-4202, CVE-2023-4203\n impact| Medium\n homepage| https://advantech.com\n found| 2023-05-04\n by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder\n | This vulnerability was discovery during research at\n | St. P\\xf6lten UAS, supported and coordinated by CyberDanube. \n |\n | https://fhstp.ac.at | https://cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\\x93Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\\x94\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21 (CVE-2023-4202)\nEKI-1522-CE series / 1.21 (CVE-2023-4202)\nEKI-1521-CE series / 1.21 (CVE-2023-4202)\n\nEKI-1524-CE series / 1.24 (CVE-2023-4203)\nEKI-1522-CE series / 1.24 (CVE-2023-4203)\nEKI-1521-CE series / 1.24 (CVE-2023-4203)\n\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)\nTwo stored cross-site scripting vulnerabilities has been identified in the\nfirmware of the device. The first XSS was identified in the \"Device Name\" field\nand the second XSS was found in the \"Ping\" tool. This can be exploited in the\ncontext of a victim\u0027s session. \n\n1.1) Stored XSS in Device Name CVE-2023-4202\nThe first vulnerability can be triggerd by setting the device name\n(\"System-\u003eDevice Name\") to the following value:\n\"\u003e\u003cscript\u003ealert(\"document.cookie\")\u003c/script\u003e\n\nThis code prints out the cached cookies to the screen. \n\n1.2) Stored XSS in Ping Function CVE-2023-4203\nThe second XSS vulnerability can be found in \"Tools-\u003ePing\". The following GET\nrequest prints the current cached cookies of a user\u0027s session to the screen. \n\nhttp://$IP/cgi-bin/ping.sh?random_num=2013\u0026ip=172.16.0.141%3b%20\u003cscript\u003ealert(1)\u003c/script\u003e\u0026size=56\u0026count=1\u0026interface=eth0\u0026_=1682793104513\n\nAn alternative to the used payload is using \"onmouseover\" event tags. In this\ncase it prints out the number \"1337\":\n\" onmousemove=\"alert(1337)\"\n\nThe vulnerability was manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpgrade to the newest available firmware. \n\nWorkaround\n-------------------------------------------------------------------------------\nNone. \n\n\nRecommendation\n-------------------------------------------------------------------------------\nAdvantech customers are advised to upgrade the firware to the latest\navailable version. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-05-16: Contacting vendor via security contact. \n2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. \n The contact is trying to reproduce issue 1.2; Gave advice to\n reproduce issue. \n2023-05-25: Contact stated that new firmware should resolve the issue. \n2023-06-03: Sent new payload to the vendor. \n2023-06-05: Vendor asked for clarification; Sent further explaination to the\n contact; Vendor contact said he knows a solution. \n2023-06-22: Asked for an update; Contact stated that the beta firmware should\n resolve the issues. \n2023-06-27: Asked for the release date. \n2023-07-04: Contact stated, that they are currently doing QA tests. \n2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated\n that it can be published. \n2023-07-17: Assigned CVE numbers for the issues. Asked for an update. \n2023-07-18: Vendor contact stated that the firmware will be released end of\n July. \n2023-08-07: Asked contact for the new firmware version. \n2023-08-08: Received version 1.26 as the official released firmware with fixes. \n Coordinated release of security advisory. \n\n\n\nWeb: https://www.fhstp.ac.at/\nTwitter: https://twitter.com/fh_stpoelten\nMail: mis at fhstp dot ac dot at\n\nEOF T. Weber / @2023\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
},
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.99
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-4203",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "174153",
"trust": 1.1
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"id": "VAR-202308-2103",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2023-12-18T13:41:18.278000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.0,
"url": "http://packetstormsecurity.com/files/174153/advantech-eki-1524-ce-eki-1522-eki-1521-cross-site-scripting.html"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2023/aug/13"
},
{
"trust": 1.0,
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"trust": 0.1,
"url": "https://fhstp.ac.at"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-4203"
},
{
"trust": 0.1,
"url": "http://$ip/cgi-bin/ping.sh?random_num=2013\u0026ip=172.16.0.141%3b%20\u003cscript\u003ealert(1)\u003c/script\u003e\u0026size=56\u0026count=1\u0026interface=eth0\u0026_=1682793104513"
},
{
"trust": 0.1,
"url": "https://cyberdanube.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-4202"
},
{
"trust": 0.1,
"url": "https://twitter.com/fh_stpoelten"
},
{
"trust": 0.1,
"url": "https://www.advantech.com/en/about"
},
{
"trust": 0.1,
"url": "https://advantech.com"
},
{
"trust": 0.1,
"url": "https://medusa.cyberdanube.com)."
},
{
"trust": 0.1,
"url": "https://www.fhstp.ac.at/"
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-08-14T17:13:30",
"db": "PACKETSTORM",
"id": "174153"
},
{
"date": "2023-08-08T11:15:12.143000",
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-08-14T19:15:14.627000",
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524-CE / EKI-1522 / EKI-1521 Cross Site Scripting",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.