International Datacasting Corporation SFX Series SuperFlex Satellite Receiver XML Injection Vulnerability

A vulnerability allowing XML injection has been identified in the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface, version 101. The issue arises in the '/IDC_Logging/checkifdone.cgi' script, where user input from the 'file' parameter is reflected directly into a CDATA block without proper sanitization. This flaw enables an authenticated attacker to manipulate the XML structure by breaking out of the CDATA tags and injecting arbitrary XML elements. Additionally, this vulnerability can be exploited to execute reflected cross-site scripting (XSS) attacks, and there is potential for further exploitation through XML External Entity (XXE) attacks.

Impact

Exploitation of this vulnerability allows for XML injection, which can be used to inject arbitrary XML elements into the application. This injection can be leveraged to execute reflected cross-site scripting (XSS) attacks. Furthermore, there is a possibility of additional exploitation through XML External Entity (XXE) attacks.