Advan VD-1 has a reflected XSS vulnerability in page cgibin/ssi.cgi

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the Advan VD-1 firmware versions up to v230. The flaw resides in the cgibin/ssi.cgi page, which returns a path error message when a requested resource is not found. The error message does not properly escape HTML, allowing an attacker to inject arbitrary JavaScript code [1].

Exploitation

An attacker can exploit this vulnerability by crafting a URL that includes a malicious payload in the path parameter. No authentication is required to trigger the XSS. The attacker must convince a victim (e.g., an administrator browsing the device's web interface) to click the crafted link. The injected script executes in the context of the victim's browser, reflecting the payload immediately [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the device's web interface. This could lead to session hijacking, defacement, or redirection to malicious sites. Given the device's role in security monitoring, an attacker could potentially steal administrator credentials or perform unauthorized actions on the device [1].

Mitigation

As of the available references, no patch or firmware update has been released to address this vulnerability. Users should monitor the vendor for updates and consider restricting network access to the device's web interface. If a newer firmware version becomes available, upgrading is recommended. The affected firmware version is v230 [1].