D-Link DI-524 2.06RU Cross Site Scripting

Type packetstorm
Reporter Semen Alexandrovich Lyhin
Modified 2019-04-10T00:00:00


                                            `# Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524  
# Date: April 6, 2019  
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)  
# Vendor Homepage: https://www.dlink.com  
# Version: D-Link DI-524 - V2.06RU  
# CVE : CVE-2019-11017   
To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter:  
Where $IP may be equal to "", $PAYLOAD may be equal to "alert(document.location)".  
Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.  
I haven't tested all the admin panel of the router, so I can guess that there are other XSS vulnerabilities in this router.