CVE-ID: CVE-2022-35612

A cross-site scripting (XSS) vulnerability in MQTTRoute v3.3 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the dashboard name text field.

It is possible to submit JavaScript in form fields as shown below.


The submitted JavaScript is stored and included in the application without output encoding, leading to cross-site scripting attack. As shown below, it is possible for an adversary to steal admin session cookie via cross-site scripting. 


References:

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Popular posts from this blog

CVE-ID: CVE-2022-35135, CVE-2022-35136

CVE-ID: CVE-2022-35134

CVE-ID: CVE-2022-34022