[webapps] ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)
2022-8-9 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:15 收藏

# Exploit Title:  ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)
# Date: 03/08/2022
# Exploit Author: Steffen Langenfeld & Sebastian Biehler
# Vendor Homepage: https://thingsboard.io/
# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
# Version: 3.3.1
# CVE : CVE-2021-42750
# Tested on: Linux

#Proof-Of-Concept:
When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor.

#Steps

1. Create a new rule node (via the menu "Rule chains")
2. Put a javascript payload within the name e.g <script>alert('XSS')</script>
3. Save the node
4. Upon hovering above the node within the editor the payload is executed
            

文章来源: https://www.exploit-db.com/exploits/51003
如有侵权请联系:admin#unsafe.sh