CVE-2018-14497: Tenda D152 ADSL routers allow XSS via a crafted SSID

CVE-2018-14497: Tenda D152 ADSL routers allow XSS via a crafted SSID

This vulnerability was found by me on the above mention router. This post will explain in detail where this vulnerability was identified, using actual code samples.

Step 1:

Connect to the wifi router and open the login page

Step 2:

Now change the SSID parameter name to <script>alert("sandip")</script>

Step 3:

Press ok

Now everything is done. Now after the page reloads you will find that you will have a stored XSS as soon as you open General and then Basic Setup.

Steps are mentioned below:

Go to admin panel or login page

Go to SSID parameter and change the name to <script>alert("sandip")</script>

Then press ok

Now when you reload the page it will show you a popup name sandip