CVE-2020-23055
Description
ANCOM WLAN Controller (Wireless Series & Hotspot) WLC-1000 & WLC-4006 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the /authen/start/ module via the userid and password parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple non-persistent XSS vulnerabilities in LANCOM WLAN Controller WLC-1000 and WLC-4006 via userid and password parameters in /authen/start/ module.
Vulnerability
The LANCOM WLAN Controller WLC-1000 and WLC-4006 running LCOS 10.x (specifically versions 10.12 SU14, 10.20 SU9, and 10.32 RU8) contain multiple non-persistent cross-site scripting (XSS) vulnerabilities in the /authen/start/ module. The userid and password parameters are not properly sanitized, allowing injection of arbitrary HTML and JavaScript [1].
Exploitation
An attacker can exploit these vulnerabilities by crafting a malicious URL containing a payload in the userid or password parameter. The victim must be tricked into clicking the crafted link while accessing the WLAN Controller's web interface. No authentication is required to reach the vulnerable /authen/start/ module [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session cookie theft, phishing, or defacement of the login page. The attacker does not gain direct access to the controller but can perform actions on behalf of the authenticated user if the victim is logged in [1].
Mitigation
The vendor released a patch on 2020-04-20. Users should upgrade to the latest firmware version for their device. As of the publication date, no workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- ANCOM/WLAN Controllerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `userid` and `password` parameters of the `/authen/start/` module allows reflected cross-site scripting."
Attack vector
An unauthenticated attacker connects to the guest Wi-Fi hotspot and accesses the web UI login form at `/authen/start/` [ref_id=1]. The attacker injects malicious script code into the `userid` or `password` parameters via a POST request, or via a GET request using the `refreshuser` parameter in the logout module [ref_id=1]. The injected script executes immediately in the victim's browser near the input field, enabling session hijacking, phishing, or redirect attacks [ref_id=1].
Affected code
The vulnerabilities are located in the `userid` and `password` parameters of the `/authen/start/` (login/logout) module on the ANCOM (LANCOM) WLC-1000 and WLC-4006 controllers running LCOS 10.x firmware [ref_id=1]. The vulnerable source code shows the login input fields directly reflect user-supplied values without sanitization [ref_id=1].
What the fix does
The advisory recommends parsing and restricting the content of the username and password input fields to disallow special characters, and sanitizing the output location where the content is reflected [ref_id=1]. The vendor resolved the vulnerabilities in LCOS versions 10.12 SU15, 10.20 SU10, and 10.32 RU9 [ref_id=1]. No patch diff is available in the bundle.
Preconditions
- networkAttacker must be within range of the guest Wi-Fi hotspot and able to connect without credentials
- inputVictim must interact with the login form (e.g., submit the form or trigger a logout GET request)
Reproduction
1. Connect to the public guest Wi-Fi hotspot of the affected LANCOM WLC device. 2. Open the web UI login form at `/authen/start/`. 3. Inject the payload `test">>
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.