Attacks: Stored XSS

Product: Firmware Analysis and Comparison Tool

Affected Version(s):v3.2

Proof of Concept:

  1. Log in to the web console with admin privilege.

  2. Navigate to the user management and add user with XSS payload.

    ##Navigate to the user management page:
<http://FactServer/admin/manage_user>

##Payload
<img src=# onerror='alert(document.domain)'/>

    Untitled

  3. When the user management page has been loaded the Stored XSS will be triggered.

    Untitled