Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS). The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed in the victim’s browser, allowing attackers to perform common XSS attacks.
References
Link | Resource |
---|---|
https://boltonshield.com/en/cve/cve-2023-47314/ | Exploit Third Party Advisory |
https://boltonshield.com/en/cve/cve-2023-47314/ | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 08:30
Type | Values Removed | Values Added |
---|---|---|
References | () https://boltonshield.com/en/cve/cve-2023-47314/ - Exploit, Third Party Advisory |
30 Nov 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS). The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed in the victim’s browser, allowing attackers to perform common XSS attacks. |
30 Nov 2023, 05:32
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:h-mdm:headwind_mdm:5.22.1:*:*:*:*:*:*:* | |
References | () https://boltonshield.com/en/cve/cve-2023-47314/ - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CWE | CWE-79 |
22 Nov 2023, 17:31
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-22 17:15
Updated : 2024-11-21 08:30
NVD link : CVE-2023-47314
Mitre link : CVE-2023-47314
CVE.ORG link : CVE-2023-47314
JSON object : View
Products Affected
h-mdm
- headwind_mdm
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')