Taiko AG1000-01A SMS Alert Gateway Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Taiko AG1000-01A SMS Alert Gateway, specifically in versions through Rev 8. This vulnerability resides within the embedded web configuration interface, allowing authenticated attackers to execute persistent JavaScript. Exploitation involves fragmenting malicious payloads across multiple administrative form fields, bypassing front-end length restrictions by using JavaScript comments and template literals to concatenate executable script fragments. These fragments are then rendered in administrative dashboard views, such as index.zhtml, resulting in persistent script execution within administrative sessions.

Impact

Exploitation of this vulnerability allows for the persistent execution of arbitrary JavaScript within the context of the administrative session. This could be used to manipulate dashboard configurations, inject malicious elements that remain stored on the device, or redirect operators to external, attacker-controlled sites. In industrial environments, such actions could spoof alert states or conceal critical sensor failures.

Reproduction

To reproduce this vulnerability, log into the Taiko AG1000-01A SMS Alert Gateway's web configuration interface. Once authenticated, navigate to the Point List page and inject a fragmented script into the 'Device Name' fields. The injected script should be split into fragments that will concatenate into a single executable script when rendered. After injection, refresh the main dashboard (index.zhtml) to execute the payload.

Remediation

No official patches are available for this vulnerability, as the vendor appears to be inactive. Organizations using the Taiko AG1000-01A should isolate the device's web management interface from internet-facing networks, place it in a segmented Management VLAN, and require secure VPN access for remote configuration.