VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 22, 2021· Updated Aug 4, 2024

CVE-2020-28968

CVE-2020-28968

Description

Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing input validation in the username field of the RADIUS Server Configuration module allows injection of arbitrary script code."

Attack vector

An attacker with limited (guest-level) authenticated access to the Draytek VigorAP web interface navigates to the RADIUS Setting - RADIUS Server Configuration module and injects a malicious script payload into the username input field [ref_id=1]. The payload is submitted via a POST request and stored server-side. When a privileged user views the Users Profile table within the same module, the stored script executes in the browser context of that user [ref_id=1]. This enables session hijacking, persistent phishing, or external redirects [ref_id=1].

Affected code

The vulnerability is located in the RADIUS Setting - RADIUS Server Configuration module, specifically the username input field of the Users Profile section [ref_id=1]. The advisory identifies the vulnerable source as http://vigorAP.localhost:50902/home.asp [ref_id=1]. No specific function or file names beyond the module path are provided.

What the fix does

The advisory does not include a patch or vendor fix. The remediation guidance is implicit in the vulnerability class: the application must properly sanitize or encode the username input before storage and before rendering in the browser context [ref_id=1]. No official patch is referenced in the disclosed materials.

Preconditions

  • authAttacker must have a low-privileged (guest) authenticated session on the VigorAP web interface.
  • networkAttacker must be able to reach the VigorAP administrative web interface over the network.
  • inputAttacker must submit a crafted payload via the username field in the RADIUS Server Configuration module.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.