CVE-2022-31798
published 2022-08-25CVE-2022-31798: Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained…
PriorityP343medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.65%
93.0th percentile
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nortekcontrol | emerge_e3_firmware | <= 0.32-07p | — |
Detection & IOCsextracted from sources · hover to see the quote
url/card_scan.php?No=0000&ReaderNo=0000&CardFormatNo=%3Cimg%20src%3Dx%20onerror%3Dalert%28document.domain%29%3E↗
- →HTTP GET response body contains the string ',"CardFormatNo":""}' — indicates the vulnerable endpoint reflected the injected parameter, confirming the XSS sink.
- →Response must return HTTP 200 with Content-Type text/html for the XSS to be exploitable; use these as additional matcher conditions.
- →Shodan dork 'http.title:"eMerge"' or 'http.title:"linear emerge"' can be used to identify internet-exposed vulnerable devices.
- →FOFA dork 'title="emerge"' or 'title="linear emerge"' can be used to identify exposed instances.
- →Google dork 'intitle:"linear emerge"' or 'intitle:"emerge"' can surface publicly indexed vulnerable panels.
- →The attack chain requires chaining XSS in CardFormatNo parameter with session fixation via PHPSESSID cookie to achieve full account takeover of admin or lower-privileged users.
- ·Vulnerability affects Nortek Linear eMerge E3-Series firmware version 0.32-07p specifically; detections should be scoped to this firmware version. ↗
- ·The XSS and session fixation must be chained together to achieve account takeover; XSS alone is insufficient for full exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Nortek Linear eMerge E3-Series - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-31798 [MEDIUM] Nortek Linear eMerge E3-Series - Cross-Site Scripting
Nortek Linear eMerge E3-Series - Cross-Site Scripting
There is a local session fixation vulnerability that, when chained with cross-site scripting, leads to account take over of admin or a lower privileged user.
Template:
id: CVE-2022-31798
info:
name: Nortek Linear eMerge E3-Series - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
There is a local session fixation vulnerability that, when chained with cross-site scripting, leads to account take over of admin or a lower privileged user.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive information.
remediation: |
Apply the latest se
http://packetstormsecurity.com/files/167992/Nortek-Linear-eMerge-E3-Series-Account-Takeover.htmlhttps://eg.linkedin.com/in/omar-1-hashemhttps://gist.github.com/omarhashem123/bccdcec70ab7e8f00519d56ea2e3fd79http://packetstormsecurity.com/files/167992/Nortek-Linear-eMerge-E3-Series-Account-Takeover.htmlhttps://eg.linkedin.com/in/omar-1-hashemhttps://gist.github.com/omarhashem123/bccdcec70ab7e8f00519d56ea2e3fd79
2022-08-25
Published