D-Link DSL-2740E ADSL Router Multiple HTML Injection Vulnerabilities

D-Link DSL-2740E ADSL Router is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Information

Bugtraq ID: 101622
Class: Input Validation Error
CVE: CVE-2016-10699

Remote: Yes
Local: No
Published: Sep 16 2016 12:00AM
Updated: Oct 31 2017 07:05PM
Credit: Jose Tozo of Trustwave
Vulnerable:

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• D-Link Homepage (D-Link)
  
• Trustwave SpiderLabs Security Advisory TWSL2016-018: Multiple Persistent XSS (trustwave.com)
  

Source: www.securityfocus.com