FIBARO System Home Center Remote File Inclusion Vulnerability Allowing Cross-Site Scripting

A remote file inclusion vulnerability has been identified in FIBARO System Home Center version 5.021, affecting Home Center 3, Home Center 2, and Home Center Lite. The vulnerability resides in the undocumented proxy API, where the 'url' GET parameter can be exploited to inject arbitrary client-side scripts, such as JavaScript or VBScript. This exploitation could lead to cross-site scripting (XSS) by hijacking user sessions or manipulating page content.

Impact

Exploitation of this vulnerability allows for remote file inclusion, which can be used to execute arbitrary code on the vulnerable web server. Additionally, the cross-site scripting aspect of the vulnerability could be used to hijack user sessions or manipulate the appearance of the web page.

Reproduction

To reproduce this vulnerability, send a request to the proxy API with the 'url' parameter set to a location of a malicious file that contains a client-side script, such as JavaScript or VBScript. The server will include this file, executing the script in the context of the user's browser.