SMSEagle Team has fixed a stored Cross-Site Scripting (XSS) vulnerability allowing injection of JavaScript code into SMS message, which in some circumstances could be executed when the SMS is viewed in web-GUI. This was discovered and responsibly disclosed to SMSEagle Team by an external security researcher.
SMSEagle Team would like to thank Vincent Salvadori for responsibly disclosing the issue to SMSEagle.
All device models with software version < 6.0 are affected by the vulnerability. The issue has been resolved in software versions 6.0 and higher.
Update your SMSEagle software to version 6.0 or higher.
You can perform the update via web-GUI > Settings > Updates > “Check for software update now”. For offline software update packages, contact our Support Center.
A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code to a SMS message, which gets executed when in web-GUI SMS is viewed and specially interacted with.
Security Impact Rating (SIR): High
CVSS Base Score: 8.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C
Finder: Vincent Salvadori
SMSEagle continuously monitors and reports cybersecurity threats, enabling our customers to proactively take necessary mitigation steps to maintain the security of their devices. To assist you in managing and mitigating security risks SMSEagle offers product advisories.
Company data
SMSEagle™ brand is owned & manufactured by
Proximus Sp. z o.o.
ul. Piatkowska 163
60-650 Poznan
Poland, EU
Phone: +48 61 6713 413
Contact us
SMSEagle is a professional hardware SMS gateway for sending and receiving SMS messages. The device is designed with focus on reliability and stability. SMS messages are sent/received directly to/from cellular network without using any external 3rd party solutions. The device has a range of built-in plugins that enable additional functionalities and easy to use API for integration with external applications.