# Exploit Title: Stored XSS in Solar-Log 200 3.6.0 web panel # Date: 10-30-23 # Exploit Author: Vincent McRae, Mesut Cetin - Redteamer IT Security # Vendor Homepage: https://www.solar-log.com/en/ # Version: Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019 # Tested on: Proprietary devices: https://www.solar-log.com/en/support/firmware/ # CVE: CVE-2023-46344 # POC: 1. Go to solar panel 2. Go to configuration -> Smart Energy -> "drag & drop" button. 3. Change "name" to: <xss onmouseenter="alert(document.cookie)" style=display:block>test</xss> 4. Once you hover over "test", you get XSS -> if a higher privileged user hovers over it, we can get their cookies.
Credits and Partners
All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD
