CVE-2020-36905

HIGH

FIBARO System Home Center 5.021 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36905. PoCs published by LiquidWorm.

AI-analyzed exploit summary The exploit demonstrates a Remote File Inclusion (RFI) vulnerability in FIBARO Home Center, allowing arbitrary JavaScript execution via an undocumented proxy API endpoint. The PoC includes a crafted SVG file with an XSS payload, which is loaded through the vulnerable URL parameter.

Description

FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsmultiple

https://www.exploit-db.com/exploits/48240

View Code ZIP pw:eip

The exploit demonstrates a Remote File Inclusion (RFI) vulnerability in FIBARO Home Center, allowing arbitrary JavaScript execution via an undocumented proxy API endpoint. The PoC includes a crafted SVG file with an XSS payload, which is loaded through the vulnerable URL parameter.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: FIBARO Home Center (versions 5.021.38, 4.580, 4.570, 4.540, 4.530, 4.510, 4.180)

No auth needed

Prerequisites: Network access to the vulnerable FIBARO Home Center instance · Ability to host a malicious SVG file on an external server

MITRE ATT&CK