How we got a CVE for a DOM-Based Stored XSS on a Solar Panel — CVE-2022–42974

UPDATED: Kostal said that the fix is now available!

In today’s interconnected world, cybersecurity is paramount. As devices and systems become more integrated, the potential for vulnerabilities increases. My friend, Caio Gonçalves, and I discovered a security flaw in the Kostal PIKO 1.5–1 MP Plus HMI OEM P 1.0.1 solar panel’s web application. This blog post details our discovery, the technical specifics of the vulnerability, and the subsequent timeline of our communication with the Kostal Company.

The Vulnerability: DOM-Based Stored Cross-Site Scripting (XSS)

DOM-Based Stored Cross-Site Scripting (XSS) is a type of security vulnerability found in web applications. It occurs when an application stores user input that is later embedded in web pages without proper sanitization or encoding, and the malicious script is executed as a result of a manipulation of the Document Object Model (DOM) on the client side. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users.

Technical Details

The vulnerability we found exists in the web application for the Kostal PIKO 1.5–1 MP Plus HMI OEM P 1.0.1 solar panel, specifically in the /file.bootloader.upload.html endpoint. The application fails to properly sanitize the filename parameter in a POST request to this endpoint, allowing an attacker to inject HTML and/or JavaScript into the page.

With this vulnerability, we got the CVE-2022–42974.

https://nvd.nist.gov/vuln/detail/CVE-2022-42974

Vulnerable Endpoint:

• /file.bootloader.upload.html

Vulnerable Parameter:

• filename (in a POST request for a system update)

Exploitation:

By sending a malicious payload in the filename parameter, such as <IFRAME SRC=javascript:alert`XSS_Stored_DOM_Based`>, an attacker can inject code that will be processed and stored by the application. Any subsequent request to pages that retrieve the malicious content will trigger the exploit in the victim's browser. This issue is exacerbated by the fact that the filename is processed by the innerHTML function in the page's HTML, making it a DOM-based XSS attack.

Impact

The implications of this vulnerability are significant. Once the malicious script is stored, it can execute arbitrary code in the context of the user’s browser, potentially leading to data theft, session hijacking, or further attacks on other users of the application.

Communication Timeline

Here’s a detailed timeline of our communication with the Kostal Company regarding this vulnerability:

October 17, 2022

• Action: We reserved the CVE for the vulnerability. Sent a 1st contact form to Kostal Company via their website.

November 2, 2022

• Action: Second contact with Kostal Company to report the vulnerability via email.

November 3, 2022

• Response: Received an automatic email response from Kostal.

November 3, 2022

• Action: We followed up, requesting the contact information for their IT department.

November 22, 2022

• Response: Kostal acknowledged the vulnerability, stating, “We have already been able to verify the gap. At the moment we are still working on the solution to prevent a cross-site scripting (XSS) attack as you pointed out. After the creation and testing of an appropriate software patch, we will be happy to contact you again.”

January 17, 2023

• Action: We sent a follow-up email inquiring about the status of the fix.
• Response: No response received.

March 17, 2023

• Action: Another follow-up email was sent asking for updates.
• Response: No response received ever since.

Waiting…waiting…waiting…nothing :(

June 19, 2024

• Action: We decided to post about the vulnerability following the responsible disclosured as recommended by OWASP, since the company stopped answer our emails.

July 02, 2024

• Action: Kostal said that the fix is now available! ❤

That’s all folks! Stay safe, and always stay vigilant in the ever-evolving landscape of cybersecurity.