CVE-2019-9556
Description
FiberHome an5506-04-f RP2669 devices have XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in FiberHome AN5506-04-F RP2669 allows an authenticated attacker to inject arbitrary JavaScript via the account_user parameter.
Vulnerability
The FiberHome AN5506-04-F router running firmware version RP2669 is affected by a stored cross-site scripting (XSS) vulnerability. The flaw resides in the web management interface, specifically in the User Account creation functionality. The account_user parameter in the POST request to /goform/setUser is not sanitized before being stored and later rendered in the browser, allowing injection of arbitrary HTML and JavaScript. This affects firmware version RP2669 as distributed by FiberHome [1].
Exploitation
To exploit this vulnerability, an attacker must be authenticated to the web management interface (default credentials may be known or guessable). After logging in, the attacker navigates to Management > User Account, adds a new user, and supplies a malicious payload in the account_user field (e.g., ``). The payload is URL-encoded in the POST request. Upon saving, the injected script is stored and executed in the browsers of any user who views the affected user list page [1].
Impact
Successful exploitation results in stored XSS, leading to arbitrary script execution in the context of the victim's session. An attacker could potentially steal cookies, session tokens, or perform actions on behalf of the victim (e.g., modifying router configurations), thereby compromising the confidentiality and integrity of the device [2].
Mitigation
As of the available references, no official patch or updated firmware version has been disclosed by FiberHome for this vulnerability. Users are advised to restrict access to the management interface, change default credentials, and monitor for vendor updates. The vulnerability is not currently listed in the CISA KEV catalog [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- FiberHome/an5506-04-fdescription
- Range: RP2669
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `account_user` POST parameter allows stored cross-site scripting."
Attack vector
An attacker who has valid credentials to the router's web interface (default credentials often work) navigates to Management > User Account and adds a new user. In the "account_user" field, the attacker injects a URL-encoded payload such as `%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e` (which decodes to `
Affected code
The vulnerability resides in the `/goform/setUser` endpoint of the FiberHome AN5506-04-F router running firmware RP2669. The `account_user` POST parameter is stored without proper sanitization and later rendered in the User Account management page (`/management/account_admin.asp`).
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a vendor fix or remediation guidance. To close the vulnerability, the application must properly sanitize or encode the `account_user` parameter before storing it and before rendering it in the User Account page, preventing script execution in the browser.
Preconditions
- authAttacker must have valid credentials to log into the router's web interface.
- configThe router must be running firmware version RP2669.
- networkAttacker must have network access to the router's management interface (typically LAN-side at 192.168.1.1).
Reproduction
1. Log in to the router at 192.168.1.1 with valid credentials. 2. Navigate to Management > User Account and click Add User. 3. In the "account_user" field, inject the URL-encoded payload: `%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e` 4. Submit the form (POST to `/goform/setUser`). 5. When any user views the User Account list, the stored script executes in their browser.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- packetstormsecurity.com/files/151959/Fiberhome-AN5506-04-F-RP2669-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/46498mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.