Curious stored XSS in Feldtech easescreen Crystal 9.0
Sometimes during a red team assessment we have the capability to find unuseful bugs to reach our objective, to compromise target corporation. However those bugs are in some cases interesting indeed.
Easescreen Crystal is a "digital sigange software for network and timebased distribution and display of data contents". We found a Stored XSS in Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265, however others versions could be affected.
This software offers a FTP service with basic authentication. If you provide a simple XSS payload as username, this value will be reflected in the Debug Log component of the administration panel.
So, if you see the debug log after this unsuscesfull login, we found our XSS. However only the last 1000 entries are displayed in debug-log. In the other hand this is not a problem from an attacker perspective because this process could be automatized.
And that's all, thanks for reading.
Disclosure timeline:
- 10/12/2019 Vendor notified. No response.
- 26/12/2019 CVE-2019–20003 asigned.
- 07/01/2020 Vendor notified second time.
- 07/01/2020 Response from vendor.
- 07/01/2020 Details sent to vendor. They said that they will release a fix soon.
- 17/01/2020 Blog post.

