notnotnotveg

Professional Internet Squirrel Chaser

1 minute read

CVE-2024-26367

Summary

A Cross Site Scripting (XSS) vulnerability in the web interface of multiple Evertz microsystems products such as MViP-II, XPS-EDGE-*, evEDGE-EO-*, MMA10G-*, 570IPG-X19-10G, allows a remote attacker to execute arbitrary code on a clients browser via a crafted payload in the login parameters.

Versions Impacted

The Evertz Microsystems products affected are :

Product Versions Tested
MViP-II Firmware 8.6.5
XPS-EDGE-* Build 1467
evEDGE-EO-* Build 0029
MMA10G-* Build 0498
570IPG-X19-10G Build 0691

Vulnerability Details

This vulnerability can be exploited when a user of these systems accesses the web interface for these devices using a link crafted by an attacker, which contains malicious HTML encoded in the location parameter of /login.php

As an example, the following HTML payload can be embedded in this parameter concerned :

http://localhost"><script>alert(document.domain)</script> <div id ="a

Such malicious HTML can be embedded in the parameter concerned :

/login.php?location=aHR0cDovL2xvY2FsaG9zdCI+PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+IDxkaXYgaWQgPSJh

This should generate a basic alert with the domain of the endpoint : 5D20A4A2-18A8-4A40-877A-EADDD76A56D6

Multiple attempts (direct contact and by CERT/CC) have been made to responsibly disclose the issue to the Evertz Microsystems to address the root cause of this vulnerability, but no response was received.

Users are advised to restrict network access to their deployments and inspect URLs for their panels before clicking them.

Disclosure Timeline
Feb 12, 2023 First attempt to contact Evertz Microsystems on service@evertz[dot]com and privacy@evertz[dot]com
Feb 14, 2023 Used live support chat and was told that the request will be forwarded internally.
Feb 14, 2023 Second attempt to contact Evertz Microsystems on service@evertz[dot]com and privacy@evertz[dot]com
Feb 22, 2024 Third attempt to contact Evertz Microsystems on service@evertz[dot]com and privacy@evertz[dot]com
Feb 28, 2024 Case opened with CERT Coordination Center (CERT/CC) : VRF#24-02-BHNHN
Mar 08, 2024 CVE number assigned by MITRE.
Mar 29, 2024 CERT/CC confirms no response has been received from Evertz.
May 13, 2023 Responsible public disclosure.

Tags:

Categories:

Updated:

You May Also Enjoy

The Cost of Exposing your Kubecost

4 minute read

Intro : During a recent engagement of reviewing a Kubernetes environment I came across a service called “Kubecost”, which is intended to be used for monitori...

RCE into EA using Kubeflow Notebooks

2 minute read

Intro Multiple articles and blog posts written about Kubeflow intrigued me to dive (albeit shallow) into and scour the depths of Shodan one evening to see wh...

Burp Suite Extension - Raw Collaborator

1 minute read

The following describes the set up and usage of a Burp Suite Extension I wrote, that creates a new Collaborator URL and dumps the raw Interaction transaction...