AutoConnect Cross-Site Scripting Vulnerability via Crafted Wi-Fi SSID
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the AutoConnect Arduino library, specifically in version 1.4.2. The issue arises in the web interface configuration page, where HTML and JavaScript can be executed through a manipulated Wi-Fi network name (SSID). This vulnerability allows attackers to inject scripts that could be executed in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the user's browser. This could lead to session hijacking, credential theft, or unauthorized data manipulation.
Reproduction
To reproduce this vulnerability, create a Wi-Fi hotspot with a name that includes a script payload, such as a JavaScript alert command. Connect to the hotspot and access the AutoConnect web interface. The injected script will execute automatically, demonstrating the XSS vulnerability.
Remediation
It is recommended to HTML-encode all SSIDs before displaying them in the web interface to prevent script injection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.