Q's blog

Home About me

CVE-2025-57444 Stored XSS on Radware's AlteonOS Web UI Management AppShape++ Script Panel - 33.0.4.50

This is a public record, and or proof of concept regarding CVE-2025-57444, a vulnerability affecting Radware's AlteonOS Web UI Management - 33.0.4.50, includes:

  1. Stored XSS on AppShape++ Script Panel using Description parameter

Impact

Arbitrary Javascript Code Execution

A classic lack of input validation into XSS, this vulnerability affects the AppShape++ Script on Description parameter. For more information on XSS and it's implication I suggests some other links for reference such as (this article doesn't check in depth effect such as stealing cookie because that would also check on the website's configuration, in general XSS behaves similarly):

  1. OWASP XSS

To reproduce this vulnerability, you need acccess on account with AppShape++ Script privilege such as create and/or edit. We use basic payload:

<img src="#" onclick=alert(0) >

The following is simple step to reproduce the vulnerability.

insert payload on Appshape++ Script Description parameter

Trigger XSS payload

  1. OWASP XSS