| Title | Reflected Cross-Site Scripting(XSS) |
|---|---|
| Product | Avocent DSR2030 |
| Vulnerable Version | Appliance firmware version 03.04.00.07 |
| Fixed Version | 03.07.01.23 |
| Product | Avocent SVIP1020 |
| Vulnerable Version | Appliance firmware version 01.06.00.03 |
| Fixed Version | 01.07.00.00 |
| CVE number | CVE-2024-34923 |
| Impact | Medium |
| Homepage | Avocent page |
| Found | March 2022 & Update additional version for another device in March 2024 |
Vendor Description
Avocent Corporation was an information-technology products manufacturer headquartered in Huntsville, Alabama. Avocent formed in 2000 from the merger of the world's two largest manufacturers of KVM (keyboard, video and mouse) equipment, Apex and Cybex Computer Products Corporation. As of August 2006, the company employed more than 1,800 people worldwide.Vulnerability Overview/Description
Reflected Cross-Site Scripting With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim’s web browser. Once the victim clicks a malicious link, the attacker’s code is executed in the context of the victim’s web browser. The vulnerability can be used to change the contents of the displayed site, redirect to other sites or steal user credentials. Additionally, users are potential victims of browser exploits and JavaScript trojans.Vulnerable / Tested Versions
The following versions were tested and found to be vulnerable: - Appliance firmware version 01.06.00.03 - Appliance firmware version 03.04.00.07Solution
The vendor provides an updated version which should be installed immediately: For the first device - 03.07.01.23 For the second device - 01.06.00.03Advisory URL
https://ka1ne1.github.io/avocent_xss.htmlResearchers
Kiryukhin Dmitry,Melnikova Anastasia, Maria MikhaylovaEOF D. Kiryukhin / @2024