Harry935

**Name of the Vulnerable Software and Affected Versions** RUCKUS Cloudpath version 5.12 build 5538 or before **Description** A vulnerability in the web-based interface of the RUCKUS Cloudpath product could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface. A successful attack, combined with a certain admin activity, could allow the attacker to gain full admin privileges on the exploited system. The vulnerability can be exploited via a crafted script to the `macaddress` parameter in the onboarding portal. **Recommendations** For RUCKUS Cloudpath version 5.12 build 5538 or before, consider disabling the onboarding portal or restricting access to the `macaddress` parameter until a patch is available. As a temporary workaround, avoid using the `macaddress` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.