Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection

Title: Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection
Advisory ID: ZSL-2019-5503
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 05.01.2019
Summary
The Leica GR10 is the next generation GNSS reference station receiver that combines the latest state-of-the-art technologies with a streamlined 'plug and play' workflow. Designed for a wide variety of GNSS reference station applications, the Leica GR10 offers new levels of simplicity, reliability and performance.
Description
The application suffers from a stored XSS vulnerability. The issue is triggered via unrestricted file upload while restoring a config file allowing the attacker to upload an html or javascript file that will be stored in /settings/poc.html. This can be exploited to execute arbitrary HTML and JS code in a user's browser session in context of an affected site.
Vendor
Leica Geosystems AG - https://www.leica-geosystems.com
Affected Version
4.30.063
4.20.232
4.11.606
3.22.1818
3.10.1633
2.62.782
1.00.395
Tested On
BarracudaServer.com (WindowsCE)
Vendor Status
N/A
PoC
leica_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php
[2] https://www.exploit-db.com/exploits/46091
[3] https://packetstormsecurity.com/files/151041
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/155274
Changelog
[05.01.2019] - Initial release
[14.01.2019] - Added reference [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk