CVE-2019-11368

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in AUO Solar Data Recorder versions prior to 1.3.0. The addr parameter in the protect/config.htm page does not properly sanitize user input, allowing an attacker to inject arbitrary HTML and JavaScript code that is stored and later executed when the page is viewed [1].

Exploitation

An attacker with network access to the device's web interface can craft a malicious HTTP request to protect/config.htm with a crafted addr parameter containing JavaScript payload. No authentication is required if the interface is exposed, and the injected script will be stored and executed in the context of the application for any user visiting the affected page [1].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the browser of any user accessing the vulnerable page. This can result in session hijacking, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the web application [1].

Mitigation

Upgrade to AUO Solar Data Recorder version 1.3.0 or later, which fixes the input sanitization issue. No workaround is available for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].