CVE-2021-21802

Vulnerability

CVE-2021-21802 is a cross-site scripting (XSS) vulnerability in the device_graph_page.php script of Advantech R-SeeNet version 2.4.12 (20.10.2020). The script accepts a graph GET parameter (line 10-13) whose value is embedded directly into an ` tag's src` attribute on line 64 without sanitization [1]. The unsanitized user input allows an attacker to inject arbitrary JavaScript code.

Exploitation

An attacker can craft a malicious URL containing a graph parameter with a JavaScript payload, e.g., " onerror=alert(1) ". If a victim visits this URL while authenticated to the R-SeeNet web interface, the injected code executes in the context of the victim's browser. The attack requires no prior authentication or special privileges; it only requires that the victim clicks the crafted link [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. The impact aligns with CWE-79 and can result in session hijacking, credential theft, sensitive information disclosure, or further actions as the victim user. The CVSSv3 score is 9.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact [1].

Mitigation

As of the publication date (2021-07-16), the vulnerability affects Advantech R-SeeNet 2.4.12 (20.10.2020). No patched version was immediately available in the provided references. The vendor should be contacted for updates. In the absence of a fix, administrators should restrict access to the R-SeeNet web interface and educate users not to click unsolicited links [1].