Stored Cross Site Scripting Vulnerability in Skyworth Router

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Skyworth Router CM5100, version 4.1.1.24. The web interface fails to properly validate user-supplied input for the IPsec Tunnel Name parameter, allowing injection of arbitrary script code. The vulnerability is present in the default configuration and requires no special privileges to access the parameter at the web interface [1].

Exploitation

An unauthenticated remote attacker can craft a malicious payload and submit it via the IPsec Tunnel Name parameter at the web interface. The attacker does not require prior authentication or network access beyond reaching the router's management interface. The injected script is stored on the server and executes in the context of any administrator or user who subsequently views the affected page [1].

Impact

Successful exploitation allows the attacker to perform stored XSS attacks, which can lead to session hijacking, credential theft, or defacement. The attacker can execute arbitrary JavaScript in the context of the router's administrative web interface, potentially compromising the management session and gaining further access to the router's configuration [1].

Mitigation

As of the publication date (2024-01-17), no official patch has been released by Skyworth for the CM5100 version 4.1.1.24. Users are advised to restrict access to the web interface to trusted networks and monitor for updates from the vendor. CERT-In advisory CIVN-2024-0013 recommends applying security patches when they become available [1].