elecV2 elecV2P Reflected Cross-Site Scripting Vulnerability
Vulnerability
A reflected cross-site scripting vulnerability has been identified in elecV2 elecV2P versions through 3.8.3. The issue arises in the Endpoint component, specifically within the /logs file. The vulnerability is triggered by manipulating the filename parameter, which is directly reflected in the HTML output without proper escaping. This flaw allows attackers to inject arbitrary HTML or JavaScript that executes in the context of the user's browser. The vulnerability can be exploited remotely, without any authentication, but requires user interaction.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the affected user.
Reproduction
To reproduce this vulnerability, send a GET request to the /logs endpoint with a crafted filename parameter that includes the desired JavaScript payload, such as an image tag with an error event handler. The injected script will execute in the browser of anyone who views the logs.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.