CVE-2022-35134

Vulnerability

Boodskap IoT Platform v4.4.9-02 contains a stored cross-site scripting (XSS) vulnerability due to insufficient input validation and output sanitization. Affected versions include v4.4.9-02. The vulnerability exists in multiple functionalities, including the domain name and user name fields [1].

Exploitation

An attacker can exploit the vulnerability by injecting a malicious script into the domain name field during configuration or by changing their user name to include a payload. For example, setting the domain name to `` results in script execution. A lower-privilege user can also change their own name to contain an XSS payload, potentially targeting an admin user when the admin views the user profile [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data. The impact is limited by the same-origin policy but can be leveraged for further attacks against platform users [1].

Mitigation

As of the publication date, no official patch has been announced. The vendor has not released a fixed version. Users should implement strict input validation and output encoding, and consider using a Web Application Firewall (WAF) as a temporary workaround. Monitor the vendor for updates [1].