Logitech Media Server 7.9.0 – ‘favorites’ Cross-Site Scripting

Exploit Database
95 阅读

作者： Dewank Pant

日期： 2017-11-03
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/43122/

# Exploit Title: Logitech Media Server : Persistent Cross Site Scripting(XSS)
# Shodan Dork: Search Logitech Media Server
# Date: 11/03/2017
# Exploit Author: Dewank Pant
# Vendor Homepage: www.logitech.com
# Software Link: [download link if available]
# Version: 7.9.0
# Tested on: Windows 10, Linux
# CVE : Applied For.



POC:

Access and go to the favorites tab and add a new favorite.
Add script as the value of the field.
Payload : <script> alert(1)</script>
Script saved and gives a pop-up to user every time they access that page.
Therefore, Persistent XSS.

last Exploits
Logitech Media Server 7.9.0 – ‘favorites’ Cross-Site Scripting的更多信息

Crypto Currency Tracker (CCT) 9.5 – Admin Account Creation (Unauthenticated)：
Hikvision Web Server Build 210702 – Command Injection：
Joomla! Component Biitatemplateshop – ‘groups’ SQL Injection：
BMC Service Desk Express 10.2.1.95 – Multiple Vulnerabilities：
Uebimiau Webmail 3.2.0-2.0 – Local File Inclusion：
Prometeo 1.0.65 – SQL Injection：
Tribq CMS 5.2.7 – Cross-Site Request Forgery (Adding/Editing New Administrator Account)：
CustomCMS – Persistent Cross-Site Scripting：