Stored Cross Site Scripting Vulnerability in Skyworth Router
Description
This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 1 parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system.
Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Skyworth Router CM5100 through insufficient input validation of the Time Server 1 parameter, allowing remote attackers to execute arbitrary JavaScript in the web interface.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Skyworth Router CM5100, version 4.1.1.24. The web interface does not properly validate user-supplied input for the Time Server 1 parameter, allowing an attacker to inject malicious scripts. The parameter is reachable through the router's administrative web interface [1].
Exploitation
An attacker must have network access to the router's web interface and valid administrative credentials. By supplying specially crafted JavaScript payloads to the Time Server 1 parameter, the attacker can store the malicious script. When an administrator later views the affected page, the script executes in the context of the browser session [1].
Impact
Successful exploitation enables stored XSS attacks. The attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or further compromise of the router's administrative interface. No privilege escalation is detailed; the attacker already has administrative access [1].
Mitigation
As of the publication date (2024-01-17), no patched firmware version has been released. Users should monitor vendor advisories and apply updates when available. Restricting administrative web interface access to trusted networks may reduce exposure. The vulnerability is not listed on the CISA KEV as of the reference date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 4.1.1.24
- Hathway/Skyworth Router CM5100v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.