Tuesday, 24 July 2018

CVE-2018-14497: Tenda D152 ADSL routers allow XSS via a crafted SSID


CVE-2018-14497: Tenda D152 ADSL routers allow XSS via a crafted SSID


This vulnerability was found by me on the above mention router. This post will explain in detail where this vulnerability was identified, using actual code samples.


Step 1:


Connect to the wifi router and open the login page


Step 2:


Now change the SSID parameter name to <script>alert("sandip")</script>



Step 3:


Press ok

Now everything is done. Now after the page reloads you will find that you will have a stored XSS as soon as you open General and then Basic Setup.








Steps are mentioned below:


Go to admin panel or login page

Go to SSID parameter and change the name to <script>alert("sandip")</script>

Then press ok

Now when you reload the page it will show you a popup name sandip