Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit

Title: Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit
Advisory ID: ZSL-2019-5522
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 15.05.2019
Summary
Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV.
Description
The application suffers from an authenticated stored XSS via GET request. The issue is triggered when input passed via the GET parameter 'server' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
BTicino S.p.A. - https://www.bticino.com
Affected Version
Hardware Platform: F454
Firmware version: 1.0.51
Driver Manager version: 1.1.14
Tested On
Apache/2.2.14 (Unix)
OpenSSL/1.0.0d
PHP/5.1.6
Vendor Status
[30.04.2019] Vulnerability discovered.
[01.05.2019] Vendor contacted.
[01.05.2019] Vendor responds, employee from BTicino will contact us.
[14.05.2019] No reply from the vendor.
[15.05.2019] Public security advisory released.
PoC
legrand_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/46850
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/161093
[3] https://packetstormsecurity.com/files/152941
Changelog
[15.05.2019] - Initial release
[17.05.2019] - Added reference [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk