CVE-2018-6529
Description
XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php in D-Link DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-865L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in D-Link DIR-868L, DIR-865L, and DIR-860L allows remote attackers to steal authentication cookies via crafted Treturn parameter.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the file htdocs/webinc/js/bsc_sms_inbox.php in D-Link DIR-868L (firmware DIR868LA1_FW112b04 and previous), DIR-865L (firmware DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous), and DIR-860L (firmware DIR860LA1_FW110b04 and previous). The Treturn parameter passed to soap.cgi is not properly sanitized before being reflected in the response, allowing injection of arbitrary JavaScript code [1].
Exploitation
An attacker can craft a malicious URL containing the XSS payload in the Treturn parameter and lure an authenticated user (who has a valid session cookie) into accessing it. The injected script executes in the user's browser, enabling the attacker to exfiltrate the session cookie to an attacker-controlled server [1].
Impact
Successful exploitation allows the attacker to steal the authentication cookie of the victim. With this cookie, the attacker can hijack the victim's session and gain unauthorized access to the router's administrative interface, potentially leading to full compromise of the device [1].
Mitigation
As of the publication date (2018-03-06), no official patch has been released by D-Link for the affected firmware versions. Users should monitor the vendor's support pages for firmware updates. In the absence of a patch, limiting access to the router's web interface to trusted networks and users can reduce risk [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in bsc_sms_inbox.php allows direct injection of the Treturn GET parameter into JavaScript output."
Attack vector
An attacker crafts a URL containing a malicious `Treturn` parameter, such as `http://192.168.0.1/bsc_sms_inbox.php?Treturn=PAYLOAD`, and lures an authenticated victim to open it [ref_id=1]. The unsanitized input is echoed directly into JavaScript, allowing the attacker to inject arbitrary script that executes in the victim's browser session [ref_id=1]. This enables the attacker to steal the victim's authentication cookie by exfiltrating it to an attacker-controlled server [ref_id=1]. The attack can be launched from either the WAN or LAN side [ref_id=1].
Affected code
The vulnerability resides in `/htdocs/webinc/js/bsc_sms_inbox.php` [ref_id=1]. The file directly echoes the unsanitized `$_GET["Treturn"]` parameter into JavaScript code without any filtering or encoding [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code. The underlying issue is that the router fails to validate or sanitize user-supplied input before embedding it in JavaScript output. A proper fix would require encoding or escaping the `Treturn` parameter value before echoing it into the JavaScript context, preventing script injection.
Preconditions
- authVictim must be authenticated to the router's web interface
- networkAttacker must be able to reach the router's web interface (WAN or LAN)
- inputVictim must open a crafted URL supplied by the attacker
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdfmitrex_refsource_CONFIRM
- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdfmitrex_refsource_CONFIRM
- ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.