Share
## https://sploitus.com/exploit?id=09E42E2D-E8DE-5F5B-9927-3E695E2BE70D
# CVE-2025-69606 โ€” Reflected XSS in GSVoIP Web Panel

> **Severity:** Medium  |  **CWE:** CWE-79  |  **Auth Required:** No  |  **Vector:** Remote

---

## Summary

A **Reflected Cross-Site Scripting (XSS)** vulnerability was identified in the **GSVoIP Web Panel (v2.0.90)**. The `msg` parameter of the error endpoint does not sanitize user-controlled input before reflecting it in the HTML response, allowing arbitrary JavaScript execution in the victim's browser.

---

## Affected Product

| Field       | Details                          |
|-------------|----------------------------------|
| Product     | GSVoIP Web Panel                 |
| Version     | 2.0.90 (likely earlier versions) |
| Vendor      | Solutions VoIP (GS Solutions)    |
| CWE         | CWE-79 โ€” Cross-Site Scripting    |
| Attack Vector | Remote / Network               |
| Authentication | Not required                  |

---

## Vulnerable Endpoint

```
GET /painel/gateways.php/error?msg=
```

The `msg` parameter is reflected directly in the HTML response without sanitization or output encoding.

---

## Proof of Concept

### Payload

```
https://{TARGET}/painel/gateways.php/error?msg=%3Cscript%3Ealert(1)%3C%2Fscript%3E
```

**Decoded:**

```html
alert(1)
```

### Result

When the crafted URL is accessed, the injected payload executes in the victim's browser:

```javascript
alert(1)
```

---

## Attack Scenario

1. The attacker crafts a malicious URL containing the XSS payload in the `msg` parameter.
2. The victim is tricked into clicking the link (via phishing, social engineering, etc.).
3. The page loads and the injected JavaScript executes in the victim's browser context โ€” **no authentication required**.

---

## Impact

- Arbitrary JavaScript execution in the victim's browser
- Session hijacking via cookie theft
- Phishing and social engineering attacks
- Sensitive data exfiltration
- Content defacement within the application context

---

## Recommendations

- **Output encoding:** Encode all user-supplied input before rendering it in HTML responses (HTML entity encoding at minimum).
- **Secure templating:** Use a templating engine with auto-escaping enabled.
- **Content Security Policy (CSP):** Implement a strict CSP with restrictive `script-src` directives.
- **Input validation:** Reject or strip parameters containing HTML tags or script sequences at the input layer.

---

## Disclosure Timeline

| Step | Event                                           |
|------|-------------------------------------------------|
| 1    | Vulnerability discovered and reported by Luiz Eduardo |
| 2    | CVE assigned: `CVE-2025-69606`                  |
| 3    | Public disclosure                               |

---

## Credits

Discovered and reported by **Luiz Eduardo**

---

*CVE-2025-69606 ยท CWE-79 ยท GSVoIP Web Panel v2.0.90*