How the CVE Works:
CVE-2025-3327 is a stored Cross-Site Scripting (XSS) vulnerability in iteaj iboot IoT Gateway v1.1.3, specifically in the `/common/upload/batch` file upload component. The flaw arises due to improper sanitization of user-supplied input in the `File` parameter during batch uploads. An attacker can upload a malicious file containing JavaScript payloads, which are then executed when an administrator or user views the uploaded file list. Since the attack is remote and requires low privileges, it can lead to session hijacking, phishing, or unauthorized actions under the victim’s context.
DailyCVE Form:
Platform: iteaj iboot
Version: 1.1.3
Vulnerability: Stored XSS
Severity: Medium
Date: 04/08/2025
What Undercode Say:
Exploitation:
- Craft a malicious file (e.g.,
exploit.html) with a JavaScript payload:<script>alert(document.cookie);</script>
- Upload the file via `/common/upload/batch` with the `File` parameter:
curl -X POST -F "[email protected]" http://target/common/upload/batch
- Trigger the payload when an admin views the upload directory.
Protection:
- Patch: Apply vendor updates or disable the vulnerable endpoint.
- Input Sanitization: Filter `File` parameter inputs using regex or libraries like DOMPurify.
3. CSP Header: Mitigate impact via:
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";
4. WAF Rules: Block suspicious uploads with mod_security:
SecRule FILES "@contains <script>" "deny,log,msg:'XSS Attempt'"
Detection:
Scan for vulnerable instances using Nuclei:
nuclei -t xss.yaml -u http://target
Or manually inspect HTTP responses for unsanitized `