Zucchetti Axess Access Control Devices Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability has been identified in the web-based configuration interface of Zucchetti Axess access control devices. This includes models XA4, X3/X3BIO, X4, X7, XIO, i-door, and i-door+. The vulnerability arises from inadequate sanitization of user input in the 'dirBrowse' parameter of the '/file_manager.cgi' endpoint. An authenticated attacker could exploit this to inject arbitrary JavaScript, executed in the context of an administrative user, potentially leading to session hijacking, unauthorized configuration changes, and disclosure of sensitive information.

Impact

Exploitation of this vulnerability could result in session hijacking, privilege escalation, and credential theft.

Reproduction

To reproduce this vulnerability, send a GET request to the '/file_manager.cgi' endpoint with the 'dirBrowse' parameter containing a script tag, such as '<script>alert(1)</script>'.