Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-40223 PoC — Rittal CMC PU III 跨站脚本漏洞

Source
https://github.com/asang17/CVE-2021-40223
Associated Vulnerability
Title:Rittal CMC PU III 跨站脚本漏洞 (CVE-2021-40223)
Description:Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.
Description
XSS Vulnerability in Rittal
Readme
# CVE-2021-40223
**Application**: Rittal CMC PU III Web management

**Devices**: CMC PU III 7030.000

**Software Revision**: V3.11.00_2

**Hardware Revision**: V3.00

**Attack type**: Stored XSS

**Solution**: Update to Software Revision V3.17.10 or later

**Summary**: Web application fails to sanitize user input on Security User configuration dialog and Task tab. This allows attacker to inject HTML or browser interpreted content in the web application. In this case, the XSS of the user configuration will be displayed when the authentication is performed and also in the logs. The XSS of the task will also be interpreted in the log section. It is interesting to remark that both XSS will be persistent in the logs until they are deleted, even if the rogue input values are changed to correct ones. Successful exploitation requires access to the web management interface with a valid or hijacked session.

**Timeline**:
* 2021-08-03 Issues discovered
* 2021-08-08 First contact with vendor via e-mail
* 2021-08-23 Second contact with vendor via e-mail
* 2021-09-01 Vulnerability patch confirmed
File Snapshot

 [4.0K]  /data/pocs/dd07ede1204a0355e7a478827cd03bacd1e8750b
├── [1.1K]  README.md
├── [431K]  STORED XSS IN RITTAL CMC III.pdf
├── [4.5M]  XSSLogin.mp4
└── [2.2M]  XSSTask.mp4

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →