CVE-2021-35956
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

CVE-2021-3441
Stored cross-site scripting (XSS) in the embedded webserver of certain HP OfficeJet Printers—including the 4630 e-All-in-One Printer and 7110 Wide Format ePrinter— enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields.

The Mission Find, Triage, Disclose

The Internet Observatory (Obsrva) is a vulnerability research project founded by independent security researcher Tyler Butler. Obsrva engages product vendors in coordinated disclosures, publishes vulnerability advisories, and creates proof of concept exploits.

Securing the Net

Obsrva engages vendors of hardware, software, and internet-based services in coordinated disclosures after the discovery of vulnerabilities effecting their products. Following industry standards, vendors are provided identification of the vulnerability, statements addressing impact, and mitigation recommendations.

Coordinated Disclosure 🤝

Vulnerability Adisories 🛡️

Obsrva coordinates with product vendors to publish vulnerability advisories on obsrva.org/advisories. Advisories allow customers, blue and red team operators, and the broader research community to access technical details and research methodology.

Proof of Concept Exploits 👾

Obsrva develops proof of concept exploits for discovered vulnerabilities and publishes them on the exploit database (exploit-db.com). PoC’s can also be found on GitHub where PR’s are welcome for the community to collaborate.

Research Library 📚

Obsrva maintains the iOT Research Library, a collection of iOT and embedded devices available for loan by independent security researchers. The library provides access to unique, EOL, or other devices no longer under active research by Obsrva.

Featured Research

Our featured research focuses on internet of things and embedded webserver security.

CVE-2021-38701 - Avigilon Stored Cross Site Scripting CVE-2021-38701

Oct 23, 2021 —Stored cross-site scripting (XSS) in 13 different Avigilon products enables remote authenticated attackers to inject arbitrary javascript in the embedded webserver via the deviceLocation settings parameter

MonkeyType.com Vulnerability Disclosure

Aug 22, 2021 —In May, independent security researcher Tyler Butler disclosed a series of vulnerabilities in monkeytype.com including stored XSS, authentication bypass, and user spoofing.

HP Officejet - ‘AirPrint’ Cross Site Scripting (XSS) CVE-2021-3441

Aug 22, 2021 —Stored cross-site scripting (XSS) in the embedded webserver of certain HP OfficeJet Printers—including the 4630 e-All-in-One Printer and 7110 Wide Format ePrinter— enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields.

AKCP sensorProbe - 'Multiple' Cross Site Scripting (XSS) CVE-2021-35956

Jun 06, 2021 —Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

🚧 Ongoing Site Maitenance 🚧

Obsrva is currently undergoing site maitenance as exisiting platforms for vulnerability disclosures and PoC exploits are migrated to the Obsrva.org domain. Expect rapid changes and updates over the course of 2021.

Project Source Code

Connect on Twitter

Tweets by Obsrva_