← Advisories

Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit

Medium

Advisory ID

ZSL-2019-5522

Release Date

15 May 2019

Vendor

BTicino S.p.A. - https://www.bticino.com

Affected Version

Hardware Platform: F454, Firmware version: 1.0.51, Driver Manager version: 1.1.14

CVE

CVE-2019-25244

Tested On

Apache/2.2.14 (Unix), OpenSSL/1.0.0d, PHP/5.1.6

Summary

Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV.

Description

The application suffers from an authenticated stored XSS via GET request. The issue is triggered when input passed via the GET parameter 'server' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

legrand_xss.htmlTXT

Disclosure Timeline

30.04.2019Vulnerability discovered.

01.05.2019Vendor contacted.

01.05.2019Vendor responds, employee from BTicino will contact us.

14.05.2019No reply from the vendor.

15.05.2019Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/46850

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/161093

[3]https://packetstormsecurity.com/files/152941

[4]https://www.cve.org/CVERecord?id=CVE-2019-25244

Changelog

15.05.2019Initial release

17.05.2019Added reference [2] and [3]

23.03.2026Added reference [4]