Viprinet VPN Hub Router Cross Site Scripting

Viprinet VPN Hub Router suffers from a persistent cross site scripting vulnerability.

MD5 | 5a9e2aaf91108203d85e5d8867335380

SD-WAN New Hope Team identified a stored XSS in Viprinet VPN Hub Router.

Input validation and output escaping mechanisms are missing for CLI
interface. Stored XSS is possible. By exploiting that vulnerability an
attacker can obtain sensitive information (e.g., private key) or modify a
remote routeras SSL certificate fingerprint employed in VPN tunneling.

Vulnerability Description:
There are two management interfaces in the Viprinet system. One of them is
a CLI which is available via And the second one is a Web
There is an access control mechanism which allows to add an user and give
him a privilege to write or read to some sections of the app (sections

Steps to Reproduce:
1. Add an user and give him write access to QOSTEMPLATES and TRAFFICRULES.
2. The user should have access to the CLI and Web Interface.
3. Add a new ITEM in the TRAFFICRULES section.
4. Using CLI, the added user with minimal privileges could set Name for
created ITEM to <svg/onload=alert(ViprinetSessionId)>
5. If the root user logs in, an alert window with sessionID will be shown.

It should be noted, that passing a session ID in URL as a mitigation
technique (actively used by Viprinet) does not work here.

The same report was sent to Viprinet in September 2018.

SD-WAN New Hope Team.

Related Posts