header-logo
Suggest Exploit
vendor:
D152 ADSL Router
by:
Sandip Dey
5.4
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: D152 ADSL Router
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2018-14497
CPE: h:tenda:d152_adsl_router
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 8.1
2018

Tenda D152 ADSL Router – Cross-Site Scripting

Tenda D152 ADSL Router is vulnerable to Cross-Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code into the SSID field of the router's web interface. When a user visits the router's web interface, the malicious code will be executed in the user's browser, allowing the attacker to gain access to the user's session.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their router to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: Tenda D152 ADSL Router - Cross-Site Scripting
# Exploit Author: Sandip Dey
# Date: 2018-07-21
# Vendor Homepage:  http://www.tendacn.com
# Hardware Link: https://www.amazon.in/Tenda-D152-ADSL2-Modem-Router/dp/B00IM8CWTE/ref=sr_1_fkmr0_1?ie=UTF8&qid=1536170904&sr=8-1-fkmr0&keywords=Tenda+D152+ADSL+router
# Category: Hardware
# Tested on: Windows 8.1
# CVE: CVE-2018-14497
  
# Reproduction Steps:
  
Goto your Wifi Router Gateway [i.e: http://Target]
Go to --> "General Setup" --> "Wireless" --> "Basic Settings
Now change the SSID to <script>alert("Sandip")</script> and hit apply
Refresh the page, and you will get the "Sandip" pop-up

Navigation

Suggest Exploit

Services By CQR