CVE-2021-35956
Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

CVE-2021-3441
Stored cross-site scripting (XSS) in the embedded webserver of certain HP OfficeJet Printers—including the 4630 e-All-in-One Printer and 7110 Wide Format ePrinter— enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields.

Obsrva Vulnerability Discovery

In 2021, Obsrva coordinated vulnerability disclosures with dozens of vendors and open source project maintainers, culminating in 2 published CVE vulnerabilities including CVE-2021-35956 and CVE-2021-3441.

Securing the Net

Obsrva engages vendors of hardware, software, and internet-based services in coordinated disclosures after the discovery of vulnerabilities effecting their products. Following industry standards, vendors are provided identification of the vulnerability, statements addressing impact, and mitigation recommendations.

Latest Publications

CVE-2021-38701 - Avigilon Stored Cross Site Scripting

Research Stored cross-site scripting (XSS) in 13 different Avigilon products enables remote authenticated attackers to inject arbitrary javascript in the embedded webserver via the deviceLocation settings parameter

Published Oct 23, 2021

MonkeyType.com Vulnerability Disclosure

Research In May, independent security researcher Tyler Butler disclosed a series of vulnerabilities in monkeytype.com including stored XSS, authentication bypass, and user spoofing.

Published Aug 22, 2021

HP Officejet - ‘AirPrint’ Cross Site Scripting (XSS)

Research Stored cross-site scripting (XSS) in the embedded webserver of certain HP OfficeJet Printers—including the 4630 e-All-in-One Printer and 7110 Wide Format ePrinter— enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields.

Published Aug 22, 2021

CVE-2021-3441 Proof of Concept Exploit

POC Proof of concept exploit for CVE-2021-3441- HP OfficeJet 4630 Unauthenticated Stored Cross-Site Scripting (XSS)

AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)

POC Proof of concept exploit for AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)

PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)

POC Proof of concept exploit for PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)

PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection

POC Proof of concept exploit for PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection

AKCP sensorProbe - 'Multiple' Cross Site Scripting (XSS)

Research Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

Published Jun 06, 2021

All Advisories

Overview: Stored cross-site scripting (XSS) in the embedded webserver of certain HP OfficeJet Printers—including the 4630 e-All-in-One Printer and 7110 Wide Format ePrinter— enables remote unauthenticated attackers to introduce arbitrary JavaScript via the printer name and printer location fields.

Credit: Tyler Butler

Disclosure Date: 2021-08-22

Advisory Link: CVE-2021-3441

Overview: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

Credit: Tyler Butler

Disclosure Date: 2021-06-06

Advisory Link: CVE-2021-35956

Coordinated Disclosure 🤝

Vulnerability Adisories 🛡️

Obsrva coordinates with product vendors to publish vulnerability advisories on obsrva.org/advisories. Advisories allow customers, blue and red team operators, and the broader research community to access technical details and research methodology.

Proof of Concept Exploits 👾

Obsrva develops proof of concept exploits for discovered vulnerabilities and publishes them on the exploit database (exploit-db.com). PoC’s can also be found on GitHub where PR’s are welcome for the community to collaborate.

Research Library 📚

Obsrva maintains the iOT Research Library, a collection of iOT and embedded devices available for loan by independent security researchers. The library provides access to unique, EOL, or other devices no longer under active research by Obsrva.

🚧 Ongoing Site Maitenance 🚧

Obsrva is currently undergoing site maitenance as exisiting platforms for vulnerability disclosures and PoC exploits are migrated to the Obsrva.org domain. Expect rapid changes and updates over the course of 2021.

Project Source Code

Connect on Twitter

Tweets by Obsrva_