KYOCERA Net Admin 3.4 Multiple XSS Vulnerabilities

Title: KYOCERA Net Admin 3.4 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2018-5457
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.04.2018
Summary
KYOCERA Net Admin is Kyocera's unified device management software that uses a web-based platform to give network administrators easy and uncomplicated control to handle a fleet for up to 10,000 devices. Tasks that used to require multiple programs or walking to each printer can now be accomplished in a single, fast and modern environment.
Description
The application is prone to multiple reflected cross-site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to several parameters that are handled by various servlets. Attackers can exploit this issue to execute arbitrary HTML and script code in a user's browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vendor
KYOCERA Corporation - https://global.kyocera.com
Affected Version
3.4.0906
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Apache Tomcat/8.5.15
Vendor Status
[28.03.2018] Vulnerability discovered.
[28.03.2018] Vendor contacted.
[06.04.2018] No response from the vendor.
[07.04.2018] Public security advisory released.
PoC
kyocera_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/141383
[2] https://cxsecurity.com/issue/WLB-2018040067
[3] https://packetstormsecurity.com/files/147097
Changelog
[07.04.2018] - Initial release
[16.04.2018] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk