Tripplite Stored XSS

Public disclosure of CVE-2020-26801 - Stored XSS on Tripplite SU2200RTXL2Ua

A stored XSS vulnerability was discovered on the Tripplite SU2200RTXL2Ua UPS device.

CVE-2020-26801 - Stored XSS

Through the web interface, an unauthenticated attacker may supply specially crafted input to various variable fields resulting in stored XSS. The images below demonstrate the version of Tripplite UPS found to be vulnerable as well as proof of concept steps to reproduce. Note that it is possible to properly close out the original Javascript so that no errors are present in the page and everything continues to function as intended while injecting whatever malicious code is desired.

Affected Device Details

version_information Figure 1: Version Information

Proof of Concept

vulnerable_inputs Figure 2: Vulnerable Inputs

xss_execution Figure 3: Stored XSS Executing

source_code Figure 4: Source Code

Conclusion and Recommendation

The Tripplite SU2200RTXL2Ua is still being sold by Tripplite and it is unknown at this time whether or not CVE-2020-26801 has been fixed in the most recent firmware versions. If you own one of these devices, you may be able to disable the web interface functionality. Disabling the web interface would effectively mitigate any potential risk imposed by this vulnerability.

Timeline

email 2020-10-06 Contacted MITRE to request CVE check_box 2021-06-08 MITRE responded with CVE IDs article 2021-06-21 Public Disclosure

References


© 2020 | All rights reserved | 1834 Summerville Avenue | Suite 250 | North Charleston, SC | 29405 | 843.991.4612