Advisories

Sustainable Irrigation Platform 5.2.16 Stored XSS via Program Name

Go Back
severity
medium
date
Affecting
  • SIP <= 5.2.16

  • An affected version range remains undefined

CWE
  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS
5.3
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Credit
Anja Ivanovska of Zero Science Lab
Description
Sustainable Irrigation Platform (SIP) through version 5.2.16 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject arbitrary JavaScript by supplying malicious script payloads within program names submitted via HTTP requests. Attackers can exploit the lack of output encoding on rendered program names to execute arbitrary JavaScript in the browsers of any users viewing the affected page, with exploitation facilitated by the absence of a required passphrase or the default passphrase 'opendoor'.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
  • Vulnerability Prioritization
    Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
  • Early Warning System
    Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.