Latest Tech

Latest Posts

Ruckus Unleashed 200.13.6.1.319 Cross Site Scripting

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 135
Ruckus Unleashed 200.13.6.1.319 Cross Site Scripting
Ruckus Unleashed 200.13.6.1.319 Cross Site Scripting
Ruckus Unleashed version 200.13.6.1.319 (and earlier) is vulnerable to a Ruckus Unleashed version 200.13.6.1.319 (and earlier) is vulnerable to a Cross-Site Scripting (XSS) attack, identified as CVE-2023-25717.

This flaw allows an unauthenticated attacker to inject malicious scripts into the web interface. The vulnerability stems from insufficient input validation, failing to properly sanitize user-supplied data before it's rendered in the browser.

When a legitimate user accesses a crafted URL or interacts with a compromised part of the interface, their browser executes the attacker's script. Potential impacts include session hijacking, data theft, redirection to malicious sites, or defacement of the web UI.

Users are strongly advised to upgrade to a patched version (e.g., 200.13.6.1.320 or later) to mitigate this risk.

# CVE-2025-63735 ? Reflected XSS in Ruckus Unleashed 200.13.6.1.319

## Summary
A reflected cross-site scripting (XSS) vulnerability exists in Ruckus Unleashed 200.13.6.1.319 via the `name` parameter to the captive-portal endpoint `selfguestpass/guestAccessSubmit.jsp`.

## Vendor
Ruckus Wireless

## Product
Controller-less Systems (RUCKUS Unleashed)

## Affected Version
200.13.6.1.319

## Vulnerable Endpoint
`/selfguestpass/guestAccessSubmit.jsp`

## Parameter
`name`

## Proof of Concept
`https://192.168.1.51/selfguestpass/guestAccessSubmit.jsp?cookie=null&tip=5&name=</p><form><iframe &#09;&#10;&#11; src="javascript&#58;alert('huthx')"&#11;&#10;&#09;;>`
![xss](https://github.com/user-attachments/assets/0873ea26-21b2-4012-a31d-89741c700ad4)

## Description
The application reflects unsanitized user-controlled input from the `name` parameter back into the page response, enabling arbitrary JavaScript execution.

## Impact
An attacker can execute JavaScript in the victim?s browser, leading to session hijacking, credential theft, forced redirection, or UI manipulation.

## Discoverer
Huthaifa Qashou

## References
- https://www.ruckusnetworks.com/products/network-control-and-management/controller-less/
- CVE-2025-63735 (MITRE) ? Pending publication

## Disclosure Timeline
- Reported to vendor: 24 October 2025
- CVE reserved: 12 November 2025
- Public disclosure: 24 November 2025

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.