AVE DOMINAplus <=1.10.x CSRF/XSS Vulnerabilities

Title: AVE DOMINAplus <=1.10.x CSRF/XSS Vulnerabilities
Advisory ID: ZSL-2019-5547
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 27.12.2019
DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. Designed to revolutionize your concept of living. DOMINA plus is the AVE home automation proposal that makes houses safer, more welcoming and optimized. In fact, our home automation system introduces cutting-edge technologies, designed to improve people's lifestyle. DOMINA plus increases comfort, the level of safety and security and offers advanced supervision tools in order to learn how to evaluate and reduce consumption through various solutions dedicated to energy saving.
The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
AVE S.p.A. - https://www.ave.it
Affected Version
Web Server Code 53AB-WBS - 1.10.62
Touch Screen Code TS01 - 1.0.65
Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
Touch Screen Code TS05 - 1.10.36
Models: 53AB-WBS
App version: 1.10.77
App version: 1.10.65
App version: 1.10.64
App version: 1.10.62
App version: 1.10.60
App version: 1.10.52
App version: 1.10.52A
App version: 1.10.49
App version: 1.10.46
App version: 1.10.45
App version: 1.10.44
App version: 1.10.35
App version: 1.10.25
App version: 1.10.22
App version: 1.10.11
App version: 1.8.4
App version: TS1-1.0.65
App version: TS1-1.0.62
App version: TS1-1.0.44
App version: TS1-1.0.10
App version: TS1-1.0.9
Tested On
GNU/Linux 4.1.19-armv7-x7
GNU/Linux 3.8.13-bone50/bone71.1/bone86
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Debian)
Vendor Status
[06.10.2019] Vulnerability discovered.
[14.10.2019] Vendor contacted.
[20.10.2019] No response from the vendor.
[21.10.2019] Vendor contacted.
[26.12.2019] No response from the vendor.
[27.12.2019] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://packetstormsecurity.com/files/155760
[2] https://www.exploit-db.com/exploits/47821
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/173629
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/173618
[5] https://cxsecurity.com/issue/WLB-2019120115
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-21988
[27.12.2019] - Initial release
[29.12.2019] - Added reference [1]
[24.01.2020] - Added reference [2], [3], [4] and [5]
[19.06.2021] - Added reference [6]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk