- Exploit Title: Logitech Media Server : HTML code injection and execution.
- Shodan Dork: Search Logitech Media Server
- Date: 11/03/2017
- Exploit Author: Dewank Pant
- Vendor Homepage: www.logitech.com
- Version: 7.9.0
- Tested on: Windows 10, Linux
POC:
- Access and go to the Radio URL tab and add a new URL.
- Add script as the value of the field.
- Payload : <script> alert(1)</script>
- Script saved and gives an image msg with a javascript execution on image click.
- Therefore, Persistent XSS.