CVE-2017-16568 PoC — Logitech Media Server 跨站脚本漏洞

Source

https://github.com/dewankpant/CVE-2017-16568

Associated Vulnerability

Title:Logitech Media Server 跨站脚本漏洞 (CVE-2017-16568)
Description:Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Radio" functionality. This vulnerability allows attackers to inject malicious JavaScript payloads, which become permanently stored on the server and execute when a user plays the compromised radio stream. Exploitation of this vulnerability can lead to Session hijacking and unauthorized access, Persistent manipulation of web content within the application, and Phishing or malicious redirects to external domains. This vulnerability can be exploited to manipulate media server behavior in enterprise and home network environments.

Readme

# CVE-2017-16568


 1. Exploit Title: Logitech Media Server : HTML code injection and execution.
 2. Shodan Dork: Search Logitech Media Server
 3. Date: 11/03/2017
 4. Exploit Author: Dewank Pant
 5. Vendor Homepage: www.logitech.com
 6. Version: 7.9.0
 7. Tested on: Windows 10, Linux

  
  
  
POC:
  
1. Access and go to the Radio URL tab and add a new URL.
2. Add script as the value of the field.
3. Payload : <script> alert(1)</script>
4. Script saved and gives an image msg with a javascript execution on image click.
5. Therefore, Persistent XSS.

File Snapshot


 [4.0K]  /data/pocs/81d79dbc1cc878bf4b5c727bfff130ab5249795d
└── [ 555]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!