Share
## https://sploitus.com/exploit?id=PACKETSTORM:160082
#Exploit Title: Kaa IoT Platform 1.2.0 Cross Site Scripting (XSS)  
Vulnerability  
#Date: 2020-10-01  
#Exploit Author: Mufaddal Masalawala  
#Vendor Homepage: https://www.kaaproject.org/  
#Software Link: https://cloud.kaaiot.com/  
#Version: 1.2.0  
#Tested on: Kali Linux 2020.3  
#CVE: CVE-2020-26701  
#Proof Of Concept:  
Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT  
Platform v1.2.0 allows remote attackers to inject malicious web scripts or  
HTML Injection payloads via the Description parameter.  
To exploit this vulnerability:  
  
1. Open Firefox browser, login to the cloud.kaaiot.com and access the  
dashboard  
2. Go to 'Solutions' module, select any one solution(create if not  
present) and click on it.  
3. Now in the Dashboards module, edit the Dashboard.  
4. in Description, enter the payload <img src="x"  
onerror="alert(window.location)" /> and click 'Update'.  
5. Open that Dashboard and you'll receive an alert executing user  
supplied script in the browser.