CVE-2017-9387
Description
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called relay.sh which is used for creating new SSH relays for the device so that the device connects to Vera servers. All the parameters passed in this specific script are logged to a log file called log.relay in the /tmp folder. The user can also read all the log files from the device using a script called log.sh. However, when the script loads the log files it displays them with content-type text/html and passes all the logs through the ansi2html binary which converts all the character text including HTML meta-characters correctly to be displayed in the browser. This allows an attacker to use the log files as a storing mechanism for the XSS payload and thus whenever a user navigates to that log.sh script, it enables the XSS payload and allows an attacker to execute his malicious payload on the user's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vera VeraEdge and Veralite devices log user-supplied SSH relay parameters to a file served without sanitization, enabling stored XSS.
Vulnerability
Vera VeraEdge version 1.7.19 and Veralite version 1.7.481 contain a stored cross-site scripting (XSS) vulnerability in the relay.sh script. This script logs all parameters passed to it into /tmp/log.relay without sanitization. The log.sh script reads this and other log files and serves them via a web interface with content-type text/html after passing them through the ansi2html binary, which preserves HTML metacharacters. Consequently, any attacker-provided input containing HTML or JavaScript is stored in the log file and later rendered in a browser when a user accesses log.sh.
Exploitation
An attacker with network access to the Vera device can send crafted parameters to the relay.sh script, embedding an XSS payload (e.g., `) in one of the arguments. This payload is logged into /tmp/log.relay. When a legitimate user navigates to the log.sh` page (typically exposed on the local network), the browser interprets the stored payload as active content, executing the attacker's JavaScript in the context of the user's session.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who visits the log page. This can lead to session hijacking, credential theft, or further attacks against the Vera web interface. The attacker does not require prior authentication; they only need the ability to trigger relay.sh (e.g., via a network request), and the victim needs to access log.sh while the malicious payload is in the log file.
Mitigation
As of the latest available references [1], no official patch has been released for VeraEdge 1.7.19 or Veralite 1.7.481. Users should restrict network access to the log.sh endpoint (e.g., via firewall rules) and avoid using the web-based log viewer on untrusted networks. Given the devices may be end-of-life, upgrading to a supported firmware version or replacing the device is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Vera/VeraEdge/Veralitedescription
- Range: = 1.7.481
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.