Sensaphone WEB600 Monitoring System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Sensaphone WEB600 Monitoring System, affecting version 1.6.5.H and earlier. This vulnerability allows remote authenticated attackers to execute arbitrary JavaScript by sending crafted GET requests to the /@.xml endpoint. The malicious payloads can be placed in the g7200, g7300, g4601, and g1F02 parameters, which correspond to the name, description, location, and zone name fields, respectively. Once injected, the payloads execute across various sections of the WEB600 dashboard, including the Summary, Setup, Zones, Outputs, Profiles, and History sections.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /@.xml endpoint with a payload encoded for XSS, such as an image tag with an 'onerror' event. The payload should be placed in one of the vulnerable parameters: g7200, g7300, g4601, or g1F02, depending on the desired injection point.