Stored Cross Site Scripting Vulnerability in Skyworth Router

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Skyworth Router CM5100, version 4.1.1.24. The web interface fails to properly validate user-supplied input for the Traceroute parameter, allowing an attacker to inject arbitrary script code that gets stored and later executed in the context of the affected application. The vulnerable parameter is accessible through the router's web management interface [1].

Exploitation

A remote attacker with network access to the router's web interface can craft a malicious payload and supply it to the Traceroute parameter. No authentication is required if the interface is exposed, or the attacker could convince an authenticated administrator to visit a crafted link. The injected script is stored on the device and executed when the Traceroute functionality or the affected page is viewed by other users [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, theft of sensitive information displayed in the interface, or further malicious actions against the router or the local network. The attack is persistent, meaning the malicious script remains active until removed [1].

Mitigation

As of publication date 2024-01-17, no patched firmware version has been released by Skyworth. Users should restrict network access to the router's management interface (e.g., by disabling remote management and using a firewall) to reduce exposure. The product may be End-of-Life; contact the vendor for updates [1].