[+] CVE ID: Pending - CVE-2017-14973
[+] Credits: Brett DeWall aka @xbadbiddyx & Joshua Platz aka Binary1985 @joshuaplatz
[+] Websites: https://github.com/badbiddy & https://github.com/binary1985
[+] Source: https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/IDenticard%20Two-Reader%20Controller%20%3C%201.18.8%20-%20CVE-2017-14973

Vendor:
==========================
IDenticard
https://www.identicard.com/


Product:
===========
IDenticard - Two-Reader Controller Configuration Manager
Firmware version: 1.18.8 (396)


Vulnerability Type:
==========================
Stored Cross-Site Scripting (XSS)


Vulnerability Details:
=====================
Application is vulnerable to stored XSS within the user creation function 'notes'. Within the note 
section the application does not sanitize user supplied input and renders injected javascript 
code to the users browsers. Attackers use this vulnerability to inject malicious javascript code 
such as a malicious redirect, crypto currency mining, or exploit kit.


Replication:
=====================
1) Navigate to the edit user page (http://(IPADDRESS)/~user_handler?file=logged_in.shtm

2) Create a new user. Within the "notes" field insert the payload (<script>alert('xss')</script>).

3) Save the user. (http://(IPADDRESS)/~edit_acct?editUser=save


Remediation Details:
=====================
Prevent the application from rendering javascript supplied from the end user. 
Create a whitelist of allowed characters for each input field.
Sanitize user supplied input server side.


Timeline:
=====================
2017-09-29 - Issue Reported to Vendor


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

badbiddy