Hey Folks,

I was working in UBNT for bounty and i found several xss there so i’m sharing one of the cool xss.

function dispatchInit(param1:Event=null) : void {
    if(ExternalInterface.available == false){
    if(bridgeName == null){
        bridgeName = baseObject.root.loaderInfo.parameters["bridgeName"];
        if(bridgeName == null){
            bridgeName = "flash";
     _registerComplete = ExternalInterface.call("FABridge__bridgeInitialized",[bridgeName]);
    dispatchEvent(new Event(FABridge.INITIALIZED));

In the above code the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads).

Proof of Concept :

As proof of concept the following URL will inject the JavaScript code “alert(1)” to illustrate the flaw:


store.ubnt.com xss

Some other path:


Bug is fixed now.

Best Regard

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

This site uses Akismet to reduce spam. Learn how your comment data is processed.