Emerson Network Power Liebert Challenger version 5.1E0.5 suffers from a cross site scripting vulnerability.
aa6b0f6fad2870e8a0d444aefcd1682f
I. VULNERABILITY
-------------------------
httpGetSet/httpGet.htm on
Emerson Network Power Liebert Challenger 5.1E0.5 devices allows XSS via the statusstr parameter.
II. CVE REFERENCE
-------------------------
CVE-2019-12167
III. VENDOR
-------------------------
Emerson Network Power
IV. TIMELINE
-------------------------
13/05/2019 Vulnerability discovered
V. CREDIT
-------------------------
Kubilay Onur Gungor from Cyber Struggle
VI. DESCRIPTION
-------------------------
Cross Site Scripting (XSS) allows clients to inject scripts into a request and
have the server return the script to the client in the response. This occurs
because the application is taking untrusted data and reusing it
without performing any validation or sanitisation.
A remote user can conduct cross-site scripting attacks.
Affected Component:
Path(inurl): /httpGetSet/httpGet.htm?
Parameter: statusstr
VII. SOLUTION
-------------------------
Update to lastest version.