{"id":60450,"date":"2024-11-23T04:31:51","date_gmt":"2024-11-23T01:31:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/182759\/UAS-20241118-0.txt"},"modified":"2024-11-23T04:31:51","modified_gmt":"2024-11-23T01:31:51","slug":"seh-utnserver-pro-20-1-22-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/seh-utnserver-pro-20-1-22-cross-site-scripting\/","title":{"rendered":"SEH utnserver Pro 20.1.22 Cross Site Scripting"},"content":{"rendered":"

St. P\u00f6lten UAS 20241118-0
——————————————————————————-
title| Multiple Stored Cross-Site Scripting
product| SEH utnserver Pro
vulnerable version| 20.1.22
fixed version| 20.1.35
CVE number| CVE-2024-11304
impact| High
homepage| https:\/\/www.seh-technology.com\/
found| 2024-05-24
by| P. Riedl, J. Springer, P. Chist\u00e8, D. Sagl, S. Vogt
| These vulnerabilities were discovery during research at
| St.P\u00f6lten UAS, supported and coordinated by CyberDanube.
|
| https:\/\/fhstp.ac.at | https:\/\/cyberdanube.com
——————————————————————————-<\/p>\n

Vendor description
——————————————————————————-
“We are SEH from Bielefeld – manufacturer of high-quality network solutions.
With over 35 years of experience in the fields of printing and networks, we
offer our customers a broad and high-level expertise in solutions for all types
of business environments.”<\/p>\n

Source: https:\/\/www.seh-technology.com\/us\/company\/about-us.html<\/p>\n

Vulnerable versions
——————————————————————————-
utnserver Pro \/ 20.1.22
utnserver ProMAX \/ 20.1.22
INU-100 \/ 20.1.22<\/p>\n

Vulnerability overview
——————————————————————————-
1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
Different settings on the web interface of the device can be abused to store
JavaScript code and execute it in the context of a user’s browser.<\/p>\n

Proof of Concept
——————————————————————————-
1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
The following snippet can be used to demonstrate, that stored cross-site
scripting is possible in multiple locations on the device:
“><script>alert(document.location)<\/script><\/p>\n

Examples are:
* Users password: “usrMg_pwd”
This can be displayed in cleartext and executed in the device configuration.
* Certificate options: “Common name”, “Organization name”, “Locality name”
This can be executed in the certificate information.
* Device description: “Host name”, “Contact person”, “Description”
This can be executed in “Device -> Description”.
* USB password via uploading a crafted “_parameters.txt” file: “usbMdg_pwd”
This can be executed in the “Maintenance -> Content View” tab.<\/p>\n

Saving this text to the device description leads to a persistent cross-site
scripting. Therefore, everyone who openes the device description executes the
injected code in the context of the own browser.<\/p>\n

The vulnerabilities were manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https:\/\/medusa.cyberdanube.com).<\/p>\n

Solution
——————————————————————————-
Install firmware version 20.1.35 to fix the vulnerabilities.<\/p>\n

Workaround
——————————————————————————-
None<\/p>\n

Recommendation
——————————————————————————-
CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to
the latest version available.<\/p>\n

Contact Timeline
——————————————————————————-
2024-09-23: Contacting SEH Computertechnik and sent advisory to support.
Support answered, that vulnerabilities are fixed in version
20.1.35.
2024-10-21: Closed the issue and scheduled publication for November.
2024-11-18: Coordinated disclosure of advisory.<\/p>\n

Web: https:\/\/www.fhstp.ac.at\/
Twitter: https:\/\/x.com\/fh_stpoelten
Mail: mis@fhstp.ac.at<\/p>\n

EOF T. Weber \/ @2024<\/p>\n","protected":false},"excerpt":{"rendered":"

St. P\u00f6lten UAS 20241118-0——————————————————————————-title| Multiple Stored Cross-Site Scriptingproduct| SEH utnserver Provulnerable version| 20.1.22fixed version| 20.1.35CVE number| CVE-2024-11304impact| Highhomepage| https:\/\/www.seh-technology.com\/found| 2024-05-24by| P. Riedl, J. Springer, P. Chist\u00e8, D. Sagl, S. Vogt| These vulnerabilities were discovery during research at| St.P\u00f6lten UAS, supported and coordinated by CyberDanube.|| https:\/\/fhstp.ac.at | https:\/\/cyberdanube.com——————————————————————————- Vendor description——————————————————————————-“We are SEH from Bielefeld – manufacturer …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-60450","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=60450"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/60450\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=60450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=60450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=60450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}