In Paradox Security System IPR512 Web console login form page, attacker can input JavaScript string, such as "</script>" that will overwrite configurations in the file "login.xml" and cause the login page to crash. # Injection vulnerability in Paradox Security Systems IPR512 - CVE-2023-24709 PoC
In Paradox Security System IPR512 Web console login form page, attacker can input JavaScript string, such as <code></script></code> that will overwrite configurations in the file "login.xml" and cause the login form to crash and make it unavailable.
!!!WARNING!!! Be aware that it will make a damaging impact on the service functioning!
<b>1. The Paradox Security Systems IPR512 Account Management webpanel is accessible. Typing "admin" as a user.</b>
<b>2. Intercepting request with BurpSuite.</b>
<b>3. Changing "admin" with JavaScript tag <code></script></code></b>
<b>4. URL encoding <code></script></code> to bypass security filter and sending request.</b>
<b>5. If accessing the login.xml isn't restricted, you can check that it is overwritten.</b>
<b>6. The webpanel login form isn't accessible anymore as it is crashed.</b>
Code injection vulnerability in login.html in Web panel login page on IPR512 of the Paradox Security Systems product that allows a remote or local attacker to cause the web panel login page crash via injecting easy JavaScript code into login form page such as <code></script></code>.
[4.0K] /data/pocs/2d142a8b3a708ca50aa26cb1369fba04dd4eee26
├── [2.0K] cve-2023-24709.sh
├── [4.0K] img
│ ├── [ 41K] pss_1.png
│ ├── [ 48K] pss_2.png
│ ├── [ 49K] pss_3.png
│ ├── [ 59K] pss_4.png
│ ├── [ 29K] pss_5.png
│ └── [ 25K] pss_6.png
└── [1.4K] README.md
1 directory, 8 files