# Exploit Title: Ksenia Security Lares 4.0 Home Automation URL Redirection # Google Dork: N/A # Date: 31 March 2025 # Exploit Author: Mencha 'ShadeLock' Isajlovska # Vendor Homepage: https://www.kseniasecurity.com/en/ # Software Link: https://www.kseniasecurity.com/en/company/why-lares-4-0.html # Version: Lares 4.0 # Tested on: Ksenia Lares Webserver # CVE : N/A # Desc: Input passed via the 'redirectPage' GET parameter in 'cmdOk.xml' script is not properly verified before being used to redirect users. This can be exploited to redirect an authenticating user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. http://192.168.1.2/xml/cmd/cmdOk.xml?cmd=setMacro&pin=123456&macroId=2&redirectPage=//zeroscience.mk