Cross-site scripting vulnerability in the administer interface of UniFi Controller


The UniFi Software displays a clients hostname aside many other metadata. The hostname provided by an attacker is shown as a hyperlink (clicking it opens a context menu to apply multiple settings to it). However, As the implementation does not escape the hostname when displaying it in the interface, an attacker is able to include arbitrary HTML and JavaScript code, resulting in an XSS vulnerability.


An attacker can forge a special hostname and use script-injection or a cross-site scripting to make unauthorized changes or to inject abtrary HTML content when the wireless client's information happens to be renderred into the UI.


Upgrade your UniFi Controller to 2.3.6 and after.


The vulnerability was discovered by Moritz 'momo' Frenzel ( Who immediately contacted our team at Ubiquiti. And to shackspace (Stuttgart hackerspace) for providing the infrastructure.