Stored Cross Site Scripting Vulnerability in Skyworth Router

Vulnerability

The Skyworth Router CM5100, version 4.1.1.24, contains a stored cross-site scripting (XSS) vulnerability in the web interface. The vulnerability is due to insufficient validation of user-supplied input for the DDNS Password parameter. An attacker can inject arbitrary scripts via this parameter, which will be stored and later executed in the context of the administrator's browser. [1]

Exploitation

A remote attacker needs network access to the router's web interface. No prior authentication is explicitly required, but the attacker must have access to the configuration page where the DDNS Password parameter is set (likely after logging in as an administrator). The attacker supplies specially crafted JavaScript as the value of the DDNS Password parameter. When an administrator views the stored configuration (e.g., via the web admin panel), the injected script executes in their browser. [1]

Impact

Successful exploitation allows an attacker to perform stored XSS attacks. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, all within the security context of the administrator's browser session with the router. [1]

Mitigation

As of January 2024, no official patch or fixed version has been released by Skyworth for the CM5100 router. The CERT-In advisory [1] recommends users to apply workarounds such as restricting network access to the router's web interface and avoiding use of default credentials. Users should monitor vendor channels for a firmware update. [1]