Authored by Mufaddal Masalawala

Kaa IoT Platform version 1.2.0 suffers from a persistent cross site scripting vulnerability.

advisories | CVE-2020-26701

#Exploit Title: Kaa IoT Platform 1.2.0 Cross Site Scripting (XSS)
Vulnerability
#Date: 2020-10-01
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.kaaproject.org/
#Software Link: https://cloud.kaaiot.com/
#Version: 1.2.0
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-26701
#Proof Of Concept:
Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT
Platform v1.2.0 allows remote attackers to inject malicious web scripts or
HTML Injection payloads via the Description parameter.
To exploit this vulnerability:

1. Open Firefox browser, login to the cloud.kaaiot.com and access the
dashboard
2. Go to 'Solutions' module, select any one solution(create if not
present) and click on it.
3. Now in the Dashboards module, edit the Dashboard.
4. in Description, enter the payload <img src="x"
onerror="alert(window.location)" /> and click 'Update'.
5. Open that Dashboard and you'll receive an alert executing user
supplied script in the browser.