CVE-2013-5223
CVE-2013-5223
In short
A D-Link router's web interface has multiple vulnerabilities that allow an authenticated attacker to inject malicious scripts into various settings pages. When an administrator views these pages, the attacker's script runs in their browser, potentially stealing credentials or compromising the router.
Technical detail
Multiple reflected XSS vulnerabilities across 16 different CGI endpoints (sntpcfg.cgi, ddnsmngr.cmd, urlfilter.cmd, etc.) in D-Link DSL-2760U Rev. E1. Attack requires authenticated access and exploitation occurs when an admin visits a crafted malicious link. Successful exploitation enables session hijacking, credential theft, or unauthorized router reconfiguration.
Summary generated and translated by AI from the official description.
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or HTML via the (1) ntpServer1 parameter to sntpcfg.cgi, username parameter to (2) ddnsmngr.cmd or (3) todmngr.tod, (4) TodUrlAdd parameter to urlfilter.cmd, (5) appName parameter to scprttrg.cmd, (6) fltName in an add action or (7) rmLst parameter in a remove action to scoutflt.cmd, (8) groupName parameter to portmapcfg.cmd, (9) snmpRoCommunity parameter to snmpconfig.cgi, (10) fltName parameter to scinflt.cmd, (11) PolicyName in an add action or (12) rmLst parameter in a remove action to prmngr.cmd, (13) ippName parameter to ippcfg.cmd, (14) smbNetBiosName or (15) smbDirName parameter to samba.cgi, or (16) wlSsid parameter to wlcfg.wl.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products
n/a · n/apublic PoCs found — 3
cve_referencepacketstormsecurity.com/files/123976unverifiedexploitdbwww.exploit-db.com/exploits/36987unverifiedexploitdbwww.exploit-db.com/exploits/36988unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →