[EN] St. Pölten UAS | Stored Cross-Site Scripting in SEH utnserver Pro
Title: Multiple Stored Cross-Site Scripting
Product: SEH utnserver Pro
Vulnerable version: 20.1.22
Fixed version: –
CVE: CVE-2024-11304
Impact: High
Homepage: https://www-seh-technology.com/
Found: 2024-05-24
The untserver Pro ist prone to stored cross-site scripting. This allows an attacker to place malicious code in the web interface of the untserver.
Vendor description
“We are SEH from Bielefeld – manufacturer of high-quality network solutions. With over 35 years of experience in the fields of printing and networks, we offer our customers a broad and high-level expertise in solutions for all types of business environments.”
Source: https://www.seh-technology.com/us/company/about-us.html
Vulnerable versions
utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22
Vulnerability overview
1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
Different settings on the web interface of the device can be abused to store JavaScript code and execute it in the context of a user’s browser.
Proof of Concept
1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
The following snippet can be used to demonstrate, that stored cross-site scripting is possible in multiple locations on the device:
“><script>alert(document.location)</script>
Examples are:
- Users password: “usrMg_pwd”
This can be displayed in cleartext and executed in the device configuration. - Certificate options: “Common name”, “Organization name”, “Locality name”
This can be executed in the certificate information. - Device description: “Host name”, “Contact person”, “Description”
This can be executed in “Device -> Description”. - USB password via uploading a crafted “_parameters.txt” file: “usbMdg_pwd”
This can be executed in the “Maintenance -> Content View” tab.
Saving this text to the device description leads to a persistent cross-site scripting. Therefore, everyone who openes the device description executes the injected code in the context of the own browser.
The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Install firmware version 20.1.35 to fix the vulnerabilities.
Workaround
None
Recommendation
CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to the latest version available.
Contact Timeline
- 2024-09-23: Contacting SEH Computertechnik and sent advisory to support. Support answered, that vulnerabilities are fixed in version 20.1.35.
- 2024-10-21: Closed the issue and scheduled publication for November.
- 2024-11-18: Coordinated disclosure of advisory.
Author
UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.
Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.
