Unauthenticated XSS

The Technicolor MediaAccess TG789vac v2 HP log viewer in the web interface records POST requests which do not include a CSRF token. However in doing this, it echos various client-controlled variables to the web interface. It does this even if the entity which sent the POST request is not logged in, so an unauthenticated user can embed custom javascript into the log viewer.

The attacker sends a web request with the CSRF token missing, and the javascript the attacker wishes to force the legitimate user's browser to execute is inserted as the "Referer" parameter.

The legitimate user (typically an admin) navigates the admin web interface to the 'Log viewer' page, and the stored attacker-controlled script is executed.

However it should be noted that the webserver stores its session token in a cookie which has 'httponly' set, preventing a user's session from being hijacked outright. but it's still not great.