JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities

Title: JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities
Advisory ID: ZSL-2022-5708
Type: Local/Remote
Impact: Cross-Site Scripting, Spoofing, System Access
Risk: (4/5)
Release Date: 14.06.2022
Summary
This ONU is the perfect GEPON home and business gateway. It is an all-rounder in perfection. It can BRIDGE/NAT/RIP ROUTEND and COMBINED.
Description
The device suffers from multiple vulnerabilities including: Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.
Vendor
JM-DATA GmbH - https://www.jm-data.at
Affected Version
1.0.67
1.0.62
1.0.55
Tested On
Boa/0.93.15
Vendor Status
N/A
PoC
jm_data-JF511-TV_info.txt
Credits
Vulnerability discovered by Neurogenesia - <neurogenesia@segfault.mk>
References
[1] https://packetstormsecurity.com/files/167487/
[2] https://cxsecurity.com/issue/WLB-2022060058
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/229355
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/229356
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/229344
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/229343
Changelog
[14.06.2022] - Initial release
[21.06.2022] - Added reference [1]
[23.06.2022] - Added reference [2], [3], [4], [5] and [6]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk