Ksenia Security lares (legacy model) version 1.6 contains a URL redirection vulnerability in the cmdOk.xml script that allows attackers to manipulate the redirectPage GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lares_firmware | Kseniasecurity | 1.6 (including) | 1.6 (including) |
References
- https://packetstorm.news/files/id/190179/
- https://www.kseniasecurity.com/
- https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-url-redirection-vulnerability
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5928.php