Trimble SPS851 Cross-Site Scripting Vulnerability in Ethernet Configuration Menu
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the Trimble SPS851 device running version 488.01. The issue arises in the Ethernet Configuration Menu, where the Hostname field can be manipulated to inject a reflected XSS payload. This vulnerability can be exploited remotely. When the injected payload is submitted, it triggers a pop-up containing session information, indicating successful execution of the script.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.
Reproduction
To reproduce this vulnerability, access the Trimble SPS851 Ethernet Configuration Menu while authenticated. In the Hostname field, insert a script injection payload, such as a script tag containing JavaScript code, such as an alert. After submitting the form, the injected script will execute, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.