Talos Vulnerability Report


InHand Networks InRouter302 web interface session cookie information disclosure vulnerability

May 10, 2022
CVE Number



An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.

Tested Versions

InHand Networks InRouter302 V3.5.4

Product URLs

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


CWE-1004 - Sensitive Cookie Without ‘HttpOnly’ Flag


The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The inRouter302 has a web interface where the login is required to perform any actions. The login part is performed using JavaScript. Following the function that performs the login request:

function onOk()
                "check_auth.jsp?_ajax=1&_username=" + 
                escape(E('username').value) + 
                "&_passwd=" + 
} The above function will call a custom function called `creatAjaxReq` that will perform a GET request to the server to obtain a session cookie, if the credentials provided are correct.

Then, if the credentials were correct, the onSuccess function will be called and the session cookie will be updated with the one provided by the server:

function onSuccess(txt) {
    var v = txt.split(',');
    if( v[0] == "OK" ){
        document.cookie = 'web_session=' + v[1] + '; expires=' +
            (new Date(new Date().getTime() + (1 * 86400000))).toUTCString() + '; path=/';               [1]
        page = "index.jsp";

        setTimeout(loadPage, 1000);

At [1] the session cookie is set without the HttpOnly flag, which means that an attacker, able to inject arbitrary JavaScript in a page, would be able to steal the web_session cookie. This cookie can then be used to login to the web interface.

Vendor Response

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4



2022-02-25 - Initial vendor contact
2022-03-02 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release


Discovered by Francesco Benvenuto of Cisco Talos.