In May 2019 I identified a self-XSS vulnerability on AVM's website for submitting support tickets, which could potentially have been exploited to target backend applications such as an internal ticket system as well as internal employees.
AVM is a consumer electronics company founded in 1986 in Berlin, Germany. The company produces communications, networking devices such as DSL, ISDN, Wireless and VoIP products. It had sales of €580 million in 2020 with 840 employees. It is well known for its popular FRITZ!Box series.
AVM provides its customers the ability to submit support requests for unknown problems currently not answered by AVM's knowledge base. During the creation of such support tickets users must choose their product and affected software version but can also upload additional files besides describing the issue itself as text input.
Sun'><img src=x onerror=alert(1)>set.jpg as filename.
However, the filename was only reflected for the current user session. Therefore, a potential XSS attack could only target the user account itself that is currently creating a support ticket. A so called self-XSS vulnerability with no real impact or risk at all.
Nonetheless, such support tickets with malicious filenames could be successfully submitted to AVM and usually pile up in an underlying database or internal ticket system for further processing. If a support ticket's content such as the filename of attachments is not sanitized properly, our XSS filename would have been able to target internal AVM employees handling such incoming malicious support tickets. However, I did not proceed with further exploitation and reported the issue instantly, as the proof of concept already worked.
I reported the issue to AVM's security team via email at
[email protected] and received a very fast response. The vulnerability was fixed promptly and I received some SWAG goodies for my responsible disclosure such as
- a powerbank;
- a charging cable;
- gummy bears;
- and a cool multitool keychain with the ability to open beers!
Thanks AVM for the SWAG and convenient communication. No CVE was issued for this low risk finding.