The issue could be exploited by injecting malicious script code into vulnerable website inputs. An attacker would trick users into creating malicious XSS-enabled web requests on the affected hosting server. Successful exploitation of XSS vulnerabilities results in information disclosure and the possibility of data modification. The researcher discovered that the EYESOfNetwork Web Interface v5.3 allows unauthenticated users to modify the X-Powered-By HTTP header via the component /module/report_event/.

XSS and Information Disclosure Vulnerabilities Found in EYESOfNetwork Web Interface

A vulnerability was found in the EYESOfNetwork Web Interface v5.3 that could be exploited to compromise a web server. This vulnerability is due to the Web Interface's inability to sanitize input properly, which leaves it vulnerable to cross-site scripting (XSS) attacks. The researcher discovered that the EYESOfNetwork Web Interface v5.3 allows unauthenticated users to modify the X-Powered-By HTTP header via the component /module/report_event/. An attacker who successfully exploited this vulnerability would be able to execute malicious script code in their target's browser and trick them into executing malicious requests on the hosting server. Successful exploitation of this vulnerability results in information disclosure and the possibility of data modification as well as security vulnerabilities as a result of possible data disclosure and data tampering through persistent malicious code execution.

Summary of Shumow’s XSS Analysis on EYESOfNetwork Website

Shumow discovered an XSS vulnerability in the EYESOfNetwork Web Interface v5.3 on the EYESOfNetwork website, which allows for unauthenticated users to modify the X-Powered-By HTTP header via the component /module/report_event/. This vulnerability could be exploited by injecting malicious script code into vulnerable website inputs. An attacker would trick users into creating malicious XSS-enabled web requests on the affected hosting server. Successful exploitation of XSS vulnerabilities results in information disclosure and the possibility of data modification.

Vulnerabilities summary

A CVE identifier is assigned to this vulnerability.
This vulnerability has been exploited in the wild.
The CVSS score for this vulnerability is 7.2.
The researcher noticed that there are XSS vulnerabilities on all the versions of EYESOfNetwork Web Interface v5.3, including versions prior to v5.3 and versions after v5.3.

Timeline

Published on: 11/08/2022 01:15:00 UTC
Last modified on: 11/08/2022 15:14:00 UTC

References