Linksys EA7500 2.0.8.194281 - Cross-Site Scripting

vendor:

EA7500

by:

MiningOmerta

6.1

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: EA7500

Affected Version From: 2.0.8.194281

Affected Version To: 2.0.8.194281

Patch Exists: YES

Related CWE: CVE-2012-6708

CPE: h:linksys:ea7500

Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2012-6708/, https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2012-6708/, https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2012-6708/, https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2012-6708/, https://www.rapid7.com/db/vulnerabilities/jquery-cve-2012-6708/

Other Scripts: N/A

Platforms Tested: Linksys EA7500

2021

Linksys EA7500 2.0.8.194281 – Cross-Site Scripting

Cross-Site Scripting Vulnerability on modern versions of Linksys Smart-Wifi home routers caused by outdated jQuery(strInput) version : <= 1.7.1 (Fixed in version 1.9.0). When logging into the router (http://LHOST or http://LHOST:10080), choose 'Click Here' next to 'Dont Have an Account?' or Choose 'click here' after 'To login with your Linksys Smart Wi-Fi account', you will be redirected with a login prompt with both Email Address and Password forms. Make your email address '<img src=0 onerror=alert(XSS)' without the double quotes. Payload will be triggered when mouse is clicked anywhere within the Email Address form box or when form is submitted.

Mitigation:

Upgrade to jQuery version 1.9.0 or later.

Source

Exploit-DB raw data:

# Exploit Title: Linksys EA7500 2.0.8.194281 - Cross-Site Scripting 
# Date: 3/24/21
# Exploit Author: MiningOmerta
# Vendor Homepage: https://www.linksys.com/
# Version: EA7500 Firmware Version: 2.0.8.194281
# CVE: CVE-2012-6708
# Tested On: Linksys EA7500 (jQuery version 1.7.1)

# Cross-Site Scripting Vulnerability on modern versions of Linksys Smart-Wifi home routers. 
# Caused by outdated jQuery(strInput) version : <= 1.7.1  (Fixed in version 1.9.0)
# Credit also to Reddit user michael1026

###
POC
###

1. When logging into the router (http://LHOST or http://LHOST:10080), choose "Click Here" 
   next to "Dont Have an Account? " or Choose "click here" after "To login with your Linksys Smart Wi-Fi account", 
   you will be redirected with a login prompt with both Email Address and Password forms. 

2. Make your email address "<img src=0 onerror=alert(XSS)>" without the double quotes. 

3. Payload will be triggered when mouse is clicked anywhere within the Email Address form box or when form is submitted.