CVE-2018-6528
Description
XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted receiver parameter to soap.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in D-Link DIR-868L, DIR-865L, and DIR-860L routers allows remote attackers to steal cookies via crafted receiver parameter to soap.cgi.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in /htdocs/webinc/body/bsc_sms_send.php of D-Link DIR-868L (DIR868LA1_FW112b04 and prior), DIR-865L (DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and prior), and DIR-860L (DIR860LA1_FW110b04 and prior) [1]. The receiver GET parameter is echoed unsanitized into an ` element's value` attribute, allowing an attacker to inject arbitrary JavaScript [1].
Exploitation
An attacker must lure an authenticated user to visit a crafted URL, such as http://192.168.0.1/bsc_sms_send.php?receiver="><" [1]. No authentication or network position beyond LAN or WAN access is required for the attacker to send the malicious link; the victim must be logged into the router's web interface [1].
Impact
Successful exploitation enables the attacker to steal the victim's session cookie, leading to full compromise of the authenticated web interface session [1]. This can result in further attacks such as unauthorized configuration changes or sensitive information disclosure.
Mitigation
No official fix is documented for these end-of-life devices. Users should upgrade to a supported router model or, if possible, restrict access to the web interface via firewall rules and avoid clicking untrusted links while authenticated [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `receiver` GET parameter allows reflected XSS."
Attack vector
An unauthenticated remote attacker can craft a URL containing a malicious `receiver` parameter that breaks out of the HTML attribute context. For example, `receiver=">
Affected code
The vulnerable code is in `/htdocs/webinc/body/bsc_sms_send.php`, where the `receiver` GET parameter is echoed directly into an `input` element's `value` attribute without sanitization: `value="\u003c? echo $_GET["receiver"]; ?\u003e"` [ref_id=1]. The same file also appears in the CVE description as `htdocs/webinc/body/bsc_sms_send.php`.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that the root cause is the router's failure to validate or escape user-supplied input before embedding it in HTML output. The recommended remediation would be to properly encode or sanitize the `receiver` parameter (and similar GET parameters) before echoing them into the page, preventing script injection.
Preconditions
- authThe victim must be authenticated to the router's web interface.
- networkThe attacker must be able to reach the router's web interface over the network (LAN or WAN).
- inputThe attacker must lure the victim into opening a crafted URL.
Reproduction
Craft a URL such as `http://192.168.0.1/bsc_sms_send.php?receiver=">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdfmitrex_refsource_CONFIRM
- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdfmitrex_refsource_CONFIRM
- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.