CVE-2021-26844

1. ============================
2. – CVEID: CVE-2021-26844
3. – PRODUCT: PA Server Monitor
4. – VERSION: 8.2.1.1
5. - VENDOR: Power Admin LLC
6. – PROBLEM TYPE: Cross-Site Scripting (XSS)
7. – DESCRIPTION: A Cross-Site Scripting (XSS) vulnerability in Power Admin PA Server Monitor 8.2.1.1 allows remote attackers to inject arbitrary web script or HTML via Console.exe.
8. ============================
9.  
10. Description:
11. 1. Navigate to Settings -> Remote Access -> hint.
12. 2. Insert the following Cross-Site Scripting (XSS) payload.
13. <script>alert(document.domain)</script>
14. 3. Refresh the page to trigger Cross Site Scripting (XSS) in the application.
15.  
16. Business Impact:
17. Cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary scripts into a victim’s web browser. An attacker can leverage this vulnerability by passing the malicious script to the application, which then gets passed to the user. Since the malicious code is passed through the victim’s browser via the application, the browser cannot differentiate between legitimate and malicious code. The malicious code can to retrieve cookies, session tokens, and other sensitive information in the application. It even has the potential to deface the application by rewriting the contents of the HTML page.
18.  
19. References:
20. https://www.poweradmin.com/products/server-monitoring/support/release-notes/
21. https://owasp.org/www-community/attacks/xss/
22.  
23. Discoverer:
24. Ryan Jones