CVE-2022-35137

Vulnerability

DGIOT Lightweight industrial IoT platform version 4.5.4 is vulnerable to multiple stored cross-site scripting (XSS) attacks. The application fails to output-encode user-supplied JavaScript payloads, such as ``, before rendering them in the browser. This allows malicious scripts to be permanently stored and executed in the context of other users' sessions. [2]

Exploitation

An attacker can inject arbitrary JavaScript into input fields that are later displayed to other users. No special authentication is required beyond the ability to submit data to the vulnerable endpoints. The injected script executes when an administrator or other user views the affected page, enabling the attacker to capture session cookies or perform other actions in the victim's browser context. [2]

Impact

Successful exploitation allows an attacker to steal administrator session cookies, leading to account impersonation and full compromise of the IoT platform's administrative interface. This can result in unauthorized control over connected devices, data exfiltration, and further lateral movement within the network. [2]

Mitigation

As of the publication date (2022-09-29), no official patch or fixed version has been disclosed in the available references. Administrators should apply general XSS prevention measures such as input validation, output encoding, and Content Security Policy (CSP) headers as recommended by OWASP [1]. However, the vendor has not released a specific update for this vulnerability.