CVE-2022-36266

Name of the Vulnerable Software and Affected Versions Airspan AirSpot 5410 versions 0.3.4.1-4 and under

Description The issue concerns a stored XSS vulnerability. It occurs because the binary file /home/www/cgi-bin/login.cgi does not check if the user is authenticated, allowing a malicious actor to craft a specific request on the "login.cgi" endpoint that contains a base32 encoded XSS payload. This payload will be accepted and stored, resulting in the injection of malicious scripts into the user settings page.

Recommendations For Airspan AirSpot 5410 versions 0.3.4.1-4 and under, consider disabling access to the "login.cgi" endpoint until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the user settings page to minimize the risk of malicious script injection. Avoid using the "login.cgi" endpoint with base32 encoded payloads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.