| शीर्षक | Grandstream GXP1625 1.0.7.4 xss |
|---|
| विवरण | Normal user update system variable to inject xss payload to network status info.
It happens to the endpoint '/cgi-bin/api.values.post' can update system variable. Then normal user can call the endpoint to update vpn_ip, then the value will stored in the system. Every visit of network status can triggered the XSS vulnerability.
One of the usage is to steal admin's cookie for further action.
Report:
https://drive.google.com/file/d/1rsskCaj4TwiaGG9_VYabjnKMP_zAry7L/view?usp=sharing
pwd: YyF2mcRcCLR123MX24 |
|---|
| स्रोत | ⚠️ https://drive.google.com/file/d/1rsskCaj4TwiaGG9_VYabjnKMP_zAry7L/view?usp=sharing |
|---|
| उपयोगकर्ता | cccll (UID 92824) |
|---|
| सबमिशन | 20/11/2025 03:11 PM (5 महीनों पहले) |
|---|
| संयम | 06/12/2025 03:01 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 334606 [Grandstream GXP1625 1.0.7.4 Network Status Page /cgi-bin/api.values.post vpn_ip क्रॉस साइट स्क्रिप्टिंग] |
|---|
| अंक | 20 |
|---|