Back

NeDi 1.9C XSS

Published on
10 Jan 2022
Vulnerability

Description

Because of an incorrect implementation of sanitise() in inc/libmisc.php, NeDi 1.9C is vulnerable to XSS. This function tries to escape the SCRIPT tag from user-controllable values, however it can be quickly bypassed, as shown by an IMG element’s onerror attribute as a Devices-Config.php?sta= value.

Recommendations

  • Update NeDi 1.9C to the latest version
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
Product tour
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.
Product tour