SMSEagle Team has fixed a stored Cross-Site Scripting (XSS) vulnerability allowing injection of JavaScript code into SMS message, which in some circumstances could be executed when the SMS is viewed in web-GUI. This was discovered and responsibly disclosed to SMSEagle Team by an external security researcher.
SMSEagle Team would like to thank Vincent Salvadori for responsibly disclosing the issue to SMSEagle.
Affected Products
All device models with software version < 6.0 are affected by the vulnerability. The issue has been resolved in software versions 6.0 and higher.
Remediation
Update your SMSEagle software to version 6.0 or higher.
You can perform the update via web-GUI > Settings > Updates > “Check for software update now”. For offline software update packages, contact our Support Center.
Details
A stored Cross-Site Scripting (XSS) vulnerability has been identified in SMSEagle software version < 6.0. The vulnerability arises because the application did not properly sanitize user input in the SMS messages in the inbox. This could allow an attacker to inject malicious JavaScript code to a SMS message, which gets executed when in web-GUI SMS is viewed and specially interacted with.
Security Impact Rating (SIR): High CVSS Base Score: 8.3 CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C
SMSEagle continuously monitors and reports cybersecurity threats, enabling our customers to proactively take necessary mitigation steps to maintain the security of their devices. To assist you in managing and mitigating security risks SMSEagle offers product advisories.