CVE-2022-41313,CVE-2022-41311,CVE-2022-41312
A stored cross-site scripting vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP request can lead to arbitrary Javascript execution. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Moxa SDS-3008 Series Industrial Ethernet Switch 2.1
SDS-3008 Series Industrial Ethernet Switch - https://www.moxa.com/en/products/industrial-network-infrastructure/ethernet-switches/layer-2-smart-switches/sds-3008-series
4.3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
The SDS-3008 is an 8-port smart Ethernet switch designed for industrial environments. In addition to standard smart switch functionality such as IEEE 802.1Q VLAN, port mirroring and SNMP, the SDS-3008 also implements variations of EtherNet/IP, PROFINET and Modbus TCP to support management functions. The switch is primarily managed via a web application.
Multiple fields in the Switch Information section of the web application are vulnerable to stored cross-site scripting (XSS) exploits. An attacker can exploit these vulnerabilities to store malicious JavaScript, which would be executed by the web browser of all other users of the application. Potential attacks may include stealing session tokens, displaying false information and denying access to the application by clearing other user’s cookies.
The Switch Location field (id=”webLocationMessage_text” name=”webLocationMessage_text”) in the Switch Information section of the web application is vulnerable to stored cross-site scripting exploits.
The following input in teh Switch Location field will result in stored JavaScript, which will be executed by the browser when the page is loaded.
<script>alert("XSS")//
The Switch Description field (name=”switch_description”) in the Switch Information section of the web application is vulnerable to stored cross-site scripting exploits.
The field is enclosed in SCRIPT tags and includes the default text “SDS-3008”:
<script>document.switch_information_form.switch_description.value="SDS-3008";</script>
The following input in the Switch Description field will result in stored JavaScript, which will be executed by the browser when the page is loaded.
\";alert('XSS');//
The Contact Information field (name=”switch_contact”) in the Switch Information section of the web application is vulnerable to stored cross-site scripting exploits.
The field is enclosed in SCRIPT tags:
<script>document.switch_information_form.switch_contact.value="";</script>
The following input in the Contact Information field will result in stored JavaScript, which will be executed by the browser when the page is loaded.
\";alert('XSS');//
2022-10-14 - Vendor Disclosure
2022-10-14 - Initial Vendor Contact
2023-02-02 - Public Release
2023-02-02 - Vendor Patch Release
Discovered by Patrick DeSantis of Cisco Talos.