PT-2021-21077 · Akcp · Sensorprobe

Published

2021-06-30

Updated

2021-07-06

CVE-2021-35956

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: AKCP sensorProbe versions prior to SP480-20210624

Description: The issue is related to stored cross-site scripting (XSS) in the embedded webserver. Remote authenticated attackers can introduce arbitrary JavaScript via specific fields, including Sensor Description, Email (from/to/cc), System Name, and System Location.

Recommendations: For versions prior to SP480-20210624, update to SP480-20210624 or later to resolve the issue. As a temporary workaround, consider restricting access to the embedded webserver or limiting the ability to introduce arbitrary JavaScript via the vulnerable fields. Avoid using the vulnerable fields in the affected API endpoints until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-35956

Affected Products

Sensorprobe

PT-2021-21077 · Akcp · Sensorprobe

CVE-2021-35956

Weakness Enumeration

Related Identifiers

Affected Products

References · 8