Skip to content
Permalink
gh-pages
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
layout title description Tags
post
CVE-2021-3014 - MikroTik hotspot login XSS
MikroTik hotspot login page is vulnerable to XSS-Reflected
exploits bugbounty

Author Mohammed Al-Barbari aka @m4dm0e

CVE-ID: CVE-2021-3014

Summary: There is XSS-Reflected at the Mikrotik hotspot login page.

image

Description: In the hotspot login page there is hidden input called target with a blank value so you can add any value into it just by adding a new parameter with the value you want and it will be reflected in the page source e.g: c.net/login?target=HelloAll

source code :

<input type="text" name="target" value="HelloAll" />

but also there are no filters over there so, you can escape the input tag and start a new value e.g: ?target=hhh" onSubmit="alert(0)

page source :

<input type="text" name="target" value="hhh" onSubmit="alert(0)" />

after the victim clicks on the submit button the XSS fires!

image

How to exploit this? Well, you have to be in the same network so you can play with this to get the admin user and password or cookies! also the users, with many techniques

PoC There is a POC video that will share as soon as possible on my channel GrodRiket Security