CVE-2019-25284

The V-SOL GPON/EPON OLT Platform, versions up to and including V2.03.62R_IPv6 and earlier (e.g., V2.03.54R, V2.03.52R, V1.4), is susceptible to multiple reflected cross-site scripting (XSS) vulnerabilities [3]. The root cause is a failure to properly sanitize user-supplied input in several parameters handled by various scripts, allowing the injection of arbitrary HTML and script code [1][3].

Exploitation requires no authentication and can be triggered via crafted GET requests to the vulnerable scripts. Examples include requests to /action/bindProfile.html with a malicious parent parameter and /action/ntp.html with a malicious sntp_server parameter [3]. An attacker only needs to lure a victim into clicking a specially crafted link to execute arbitrary JavaScript in the victim's browser session, effectively performing a reflected XSS attack [1][3].

Successful exploitation allows an attacker to execute arbitrary script code within the context of the victim's browser session. This could lead to session hijacking, defacement, or theft of sensitive information displayed or processed by the affected OLT web interface [1][3]. The attacker does not gain direct control over the OLT device but can compromise the session of an authenticated administrator if such a user is tricked into clicking the malicious link.

As of the advisory's publication date (September 2019), the vendor, Guangzhou V-SOLUTION Electronic Technology Co., Ltd., had not released a patch for these vulnerabilities [1][3]. The vulnerabilities affect numerous firmware versions, and users are advised to restrict access to the OLT management interface to trusted networks as a workaround, or to contact the vendor for an updated firmware version [1][3].