Key Information Title: Ksenia Security Lares 4.0 Home Automation URL Redirection Advisory ID: ZSL-2020-5928 Type: Local/Remote Impact: Spoofing Risk: 3/5 Release Date: March 31, 2020 Summary Lares is an intrusion and theft alarm and home automation system that can be controlled and remotely managed via ergo LCD keyboard and phone, as well as through an integrated web server. Description Input passed via the 'redirectpage' GET parameter in the 'cmdOk.xml' script is not properly validated before being used for redirecting users. This could be exploited to redirect authenticated users to arbitrary websites, for example, when a user clicks on a specially crafted link hosted on a trusted domain and attacked by malicious scripts. Vendor Ksenia Security S.p.A - https://www.kseniasecurity.com Affected Versions Firmware version 1.6 Web server version 1.0.0.15 Test Environment Ksenia Lares Webserver Vendor Status March 3, 2020 - Vulnerability discovered September 27, 2020 - Vendor contacted March 30, 2020 - No response received from vendor March 31, 2020 - Public security advisory released Proof of Concept (PoC) ksenia_click.txt Credit Vulnerability discovered by Menchia Isajlovsky – References [1] https://packetstormnews.com/files/id/190179/ Change Log March 31, 2020 - Initial release April 3, 2020 - Added reference [1] Contact Website: https://www.zeroscience.mk Email: lab@zeroscience.mk