CVE-2017-9390
Description
An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a shell script called connect.sh which is supposed to return a specific cookie for the user when the user is authenticated to https://home.getvera.com. One of the parameters retrieved by this script is "RedirectURL". However, the application lacks strict input validation of this parameter and this allows an attacker to execute the client-side code on this application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vera VeraEdge and Veralite devices lack input validation in connect.sh, allowing cross-site scripting via the RedirectURL parameter.
Vulnerability
An issue exists in the connect.sh script on Vera VeraEdge firmware version 1.7.19 and Veralite firmware version 1.7.481. The script retrieves a cookie after user authentication to https://home.getvera.com and includes a RedirectURL parameter. The application fails to perform strict input validation on this parameter, permitting injection of arbitrary client-side code [1].
Exploitation
An attacker can craft a malicious RedirectURL parameter and present it to an authenticated user. When the connect.sh script processes this input without sanitization, the injected code executes in the context of the user's browser. No authentication beyond the user's existing session is required for the victim; the attacker must only induce the victim to interact with the crafted link [1].
Impact
Successful exploitation results in client-side code execution (cross-site scripting) within the user's browser session. This can lead to disclosure of session tokens, cookie theft, or manipulation of the page content displayed to the victim [1].
Mitigation
As of the available references, no patched firmware version has been publicly disclosed for either the VeraEdge or Veralite devices. Users are advised to avoid clicking untrusted links involving the connect.sh script and to monitor vendor updates for any security fixes [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Vera/VeraEdge/Veralitedescription
- Range: = 1.7.481
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.