Home > CVE > cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS via the mask POST parameter-CVE-2019-7438 (XSS)

cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS via the mask POST parameter-CVE-2019-7438 (XSS)

jio-router-vulnerability-cve-2019-7438-xss

# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS Injection via the mask POST parameter.
# Exploit Author: Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage: https://www.jio.com/
# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7438-XSS
***********************************************************************
## Vulnerability Description=> Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
—————————————-
# Proof Of Concept:-POC
1- First Open BurpSuite
2- Make Intercept on
3 -Go to your Wifi Router’s Gateway in Browser [i.e http://192.168.225.1 ]
4-Capture the data and then Spider the Host
5- Now You find a Link like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
7-Vulnerable parameter is => mash
8-Paste this PAYLOD in mask parameter and then show Response in browser
Payload =>


9-Now it will show a popup of MyAiM on Screen
———————————————————————————–
Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter
———————————————————————————–
REQUEST
———–


****************************
RESPONSE
————–

Summary
Article Name=>
JioFi 4G M2S 1.0.2 Wifi Router's Vulnerability-CVE-2019-7438
Description=>
JioFi 4G M2S 1.0.2 devices has XSS Vulnerability via the mask POST parameter
Author=>
Publisher Name=>
www.gkaim.com
Admin
Welcome Sir, .. Myself Vikas Chaudhary , i was interested in general knowledge since childhood , so i thought why not to share my knowledge with you, that's why i created this educational blog. Here you find world wide general knowledge of all Latest technology , Science & History Que , and Mysterious fact of the world. Here you also find knowledge about cyber security. Thanks for visit.. keep supporting....keep Loving
https://www.gkaim.com

Leave a Reply

%d bloggers like this: