CVE-2013-6786

2014-01-1619:55:00

CWE-79

[email protected]

web.nvd.nist.gov

131

cve-2013-6786

allegro rompager

xss

zyxel p660hw-d1

huawei mt882

sitecom wl-174

tp-link td-8816

d-link dsl-2640r

d-link dsl-2641r

http referer header

404 page

security vulnerability

7.7 High

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

53.3%

JSON

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the “forbidden author header” protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a “URL redirection” issue that some sources list separately.

CPENameOperatorVersion
zyxel:p-660hw_d1zyxel p-660hw d1eq-
sitecom:wl-174sitecom wl-174eq-
allegrosoft:rompagerallegrosoft rompagerle4.07
tp-link:td-8816tp-link td-8816eq-
huawei:mt882huawei mt882eq-
dlink:dsl-2640rdlink dsl-2640req-
dlink:dsl-2641rdlink dsl-2641req-

CPE	Name	Operator	Version
zyxel:p-660hw_d1	zyxel p-660hw d1	eq	-
sitecom:wl-174	sitecom wl-174	eq	-
allegrosoft:rompager	allegrosoft rompager	le	4.07
tp-link:td-8816	tp-link td-8816	eq	-
huawei:mt882	huawei mt882	eq	-
dlink:dsl-2640r	dlink dsl-2640r	eq	-
dlink:dsl-2641r	dlink dsl-2641r	eq	-