lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 19 Oct 2018 12:22:04 +0700
From: Denis Kolegov <>
Subject: [FD] Stored XSS in Viprinet VPN Hub Router

SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.

Input validation and output escaping mechanisms are missing for CLI
interface. Stored XSS is possible. By exploiting that vulnerability an
attacker can obtain sensitive information (e.g., private key) or modify a
remote router’s SSL certificate fingerprint employed in VPN tunneling.

Vulnerability Description:
There are two management interfaces in the Viprinet system. One of them is
a CLI which is available via And the second one is a Web
There is an access control mechanism which allows to add an user and give
him a privilege to write or read to some sections of the app (sections

Steps to Reproduce:
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.
2. The user should have access to the CLI and Web Interface.
3. Add a new ITEM in the TRAFFICRULES section.
4. Using CLI, the added user with minimal privileges could set Name for
created ITEM to  <svg/onload=alert(ViprinetSessionId)>
5. If the root user logs in, an alert window with sessionID will be shown.

It should be noted, that passing a session ID in URL as a mitigation
technique (actively used by Viprinet) does not work here.

The same report was sent to Viprinet in September 2018.

SD-WAN New Hope Team.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists