Cayin SMP-PRO4 Signage Media Player - Reflected XSS and Insecure Permissions Vulnerability


Hi All,

Recently in one of my internal pentest assessment, I found a Cayin SMP-PRO4 Signage media player installed product and next step you know to hunt for the 0 day  :xD

If you still not sure how to submit/find CVE then you can refer my blog post.

Witting this blog post to support the CVE ID is assigned to above vulnerability will be published in the CVE List

After Reporting both the Issue CVE ID assigned to it is as below:

So lets gets started...

Cayin SMP-PRO4 digital signage player is manufactured with fine quality with worldwide OEM/ODM services to meet ... Zone-Type Digital Signage Media Player, Zone-type fanless digital signage player with AV-in supporting portrait mode, real-time video, playback of image slide show, ticker text, video etc..

I found Two issue in this product which is as below:
  1. Insecure Permissions
  2. Reflected XSS 

1- Insecure Permissions POC

Description:

Users can not view the pre-configured set password under "Content Update Wizard Setting", but while testing the connection string, GET method revels the clear text password of the Wizard Setting.

Vulnerable Endpoint:
http://IP/cgi-bin/media_folder.cgi?apply_mode=ping_server&webuser=administrator&webpass=[cleartextpassword]&ip_addr=IP&group=ra



2- Reflected XSS POC

Due to a lack of input validation from the filename field on Cayin SMP-PRO4 Signage Media Player, it was possible to obtain a Reflected XSS from the URL path, e.g.
http://IPAddr/html/image_preview.html?filename=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Vulnerable Endpoint:
http://IPAddr/html/image_preview.html?filename=%22%3E%3Cscript%3Ealert(1)%3C/script%3E



CVE Details:




Share this

Related Posts

Latest
Previous
Next Post »