Exploit Title:  Real Time Automation 460MCBS Cross Site Scripting (XSS)
Date: 2023-03-09
Exploit Author: Yehia Elghaly
Vendor Homepage: https://www.rtautomation.com/
Software Link: https://www.rtautomation.com/product/460mcbs/
Version: Revision 5.2.14
Tested on: Real Time Automation 
CVE: N/A


Summary: The Real Time Automation  460MCBS moves data between up to 32 Modbus TCP Servers and a BACnet/IP Building Automation System (BAS). It’s a perfect tool to tie Modbus TCP power meters, boilers, chillers and other devices into your BACnet/IP Building Automation System

Description: The attacker can able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.: XSS found on when insert a payload after(/)

Payload: ?c12yy<script>alert('XSSYF')</script>p1ax8=1

[Affected Component]
(/)