Infinxt iEdge 100 Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Infinxt iEdge 100 version 2.1.32. This issue arises during LAN configuration, where the 'Description' field can be exploited to inject malicious scripts. Once injected, these scripts are executed in the browsers of users who access the compromised content, potentially leading to data theft, session hijacking, and unauthorized actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to data theft, session hijacking, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the console and navigate to the Network → LAN section. Fill in the necessary details and capture the request using a tool like Burp Suite. Inject a simple script payload into the 'Description' parameter, then forward the request. Afterward, navigate to the summary page to observe the triggered cross-site scripting.

Remediation

To mitigate this vulnerability, implement proper input validation and output encoding to ensure user-supplied data is treated as data rather than executable code. Utilize security libraries and frameworks that automatically handle XSS protection, and consider employing a Content Security Policy (CSP) to restrict script execution. Regular security testing and code reviews are also crucial for identifying and addressing potential vulnerabilities.