SMSEagle Team has fixed a stored Cross-Site Scripting (XSS) vulnerability JavaScript code into a username or a contact phone number property, which gets executed when an administrator edits the affected property in the web-GUI. This was discovered and responsibly disclosed to SMSEagle Team by an external security researcher.
SMSEagle Team would like to thank Vincent Salvadori for responsibly disclosing the issue to SMSEagle.
All device models with software version < 6.11 are affected by the vulnerability. The issue has been resolved in software versions 6.11 and higher.
Update your SMSEagle software to version 6.11 or higher.
You can perform the update via web-GUI > Settings > Updates > “Check for software update now”. For offline software update packages, contact our Support Center.
A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.11. The vulnerability arises because the application did not properly sanitize user input in certain controls of the web GUI. This could allow an attacker to inject malicious JavaScript code into a username or a contact phone number property, which gets executed when an administrator edits the affected property in the web-GUI.
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.0
CVSS vector: 3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Finder: Vincent Salvadori
SMSEagle continuously monitors and reports cybersecurity threats, enabling our customers to proactively take necessary mitigation steps to maintain the security of their devices. To assist you in managing and mitigating security risks SMSEagle offers product advisories.
