New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site scripting vulnerability #12221
Comments
Testing this on 9.4.0.4, pasting However, to me this does not look like much of a "real" problem. If someone hostile gets access to screwing with my Tasmota devices, I'd likely have much bigger problems than this "detail". I'd certainly not be exposing them to the Internet, meaning that someone would have to breach my network in other ways to play around with Tasmota devices. And then they need no cross-site scriptring stuff, as they'd have much more straightforward ways of messing with me. |
The ESP8266 is lacking any security feature by design. IMHO every ESP8266 device which is reachable from non authorized people or machines is a high security risk. A real hacker will find a way to break in a ESP8266 driven device. NEVER use Tasmota in a not secured wifi environment. |
Tuya figured out the security for now. |
@digiblur No Open Source hacker is working on to break Tuya again on a ESP8266 device. |
Plenty of work has been done. No exploit found so far. The change of chipset isn't due to esp8266 security though. |
For a long time, some Tuya vulnerabilities were found, and actively exploited, at least by Tuya-convert. Seems closed for newer iterations. |
Wont and cant be fixed since it is a fight against windmills and the device does just not have the needed resources for. There is no chance to get the web interface hardened to call it secure. You showed one example. There are for sure many more. The webserver code in Arduino is a simple one. The only way to secure against such attacks, is to disable the webinterface. This is supported from Tasmota. |
Fixed in v13.3.0.1 f65ae06 |
PROBLEM DESCRIPTION
I've identified a Cross-site scripting vulnerability (XSS) in the web interface of Tasmota 6.5.0. Unfortunately, I can not check if the current release is also affected. It would be nice if someone could check this out and give me feedback.
REQUESTED INFORMATION
Make sure your have performed every step and checked the applicable boxes before submitting your issue. Thank you!
Backlog Template; Module; GPIO 255
:Backlog Rule1; Rule2; Rule3
:Status 0
:weblog
to 4 and then, when you experience your issue, provide the output of the Console log:TO REPRODUCE
Navigate to "Configuration" - "Configure Other" and insert the following sting in the field "Friendly Name 1":
"/><script>alert(1)</script>
After that, a JavaScript alert box should appear if the version is vulnerable.
EXPECTED BEHAVIOUR
A clear and concise description of what you expected to happen.
SCREENSHOTS
If applicable, add screenshots to help explain your problem.
ADDITIONAL CONTEXT
Add any other context about the problem here.
(Please, remember to close the issue when the problem has been addressed)
The text was updated successfully, but these errors were encountered: