CVE-2023-34856 in DI-7500G-CI
Summary
by MITRE • 06/09/2023
A Cross Site Scripting (XSS) vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /auth_pic.cgi.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/09/2026
The vulnerability CVE-2023-34856 represents a critical cross site scripting flaw in D-Link DI-7500G-CI router firmware version 19.05.29A, specifically affecting the /auth_pic.cgi web interface component. This vulnerability resides within the router's authentication picture upload functionality, where the system fails to properly sanitize user-supplied input before processing and storing uploaded HTML files. The flaw enables attackers to inject malicious scripts that execute in the context of the victim's browser when the compromised image is viewed or processed by the router's web interface.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the D-Link firmware's authentication picture handling module. When users upload images through the /auth_pic.cgi endpoint, the system does not sufficiently filter or escape special characters that could be interpreted as HTML or JavaScript code. This failure in proper sanitization creates an exploitable condition where malicious actors can craft HTML files containing embedded scripts that persist within the router's image storage and execute upon subsequent access. The vulnerability is classified as CWE-79 - Improper Neutralization of Input During Web Page Generation, which directly maps to the standard web application security weakness category for XSS vulnerabilities.
The operational impact of this vulnerability extends beyond simple script execution, as it allows attackers to establish persistent access to the router's administrative interface. An attacker who successfully exploits this vulnerability can manipulate the router's configuration settings, potentially gaining unauthorized access to network resources, modifying firewall rules, or redirecting traffic to malicious endpoints. The attack vector requires minimal privileges since the vulnerability exists in a publicly accessible web interface, and the malicious HTML file can be uploaded by any authenticated user with access to the router's management portal. This makes the vulnerability particularly dangerous in environments where router management interfaces are accessible from untrusted networks or where users may inadvertently interact with compromised content.
The security implications of CVE-2023-34856 align with ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript, as the vulnerability enables execution of malicious JavaScript code within the browser context of authenticated users. The attack chain typically involves uploading a malicious HTML file containing embedded JavaScript that leverages the router's own authentication mechanisms to execute commands or exfiltrate information. Organizations should consider implementing network segmentation to isolate router management interfaces from general network traffic, as well as deploying web application firewalls that can detect and block malicious script payloads. Additionally, regular firmware updates from D-Link should be prioritized to address this vulnerability, as the manufacturer has likely released patches to remediate the input sanitization issues within the /auth_pic.cgi component. Network monitoring should also include detection of unusual file upload patterns to the router's administrative interface, as these activities may indicate exploitation attempts.