VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 17, 2024· Updated Jun 2, 2025

Stored Cross Site Scripting Vulnerability in Skyworth Router

CVE-2023-51736

Description

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the L2TP/PPTP Username parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the web interface of the vulnerable targeted system.

Successful exploitation of this vulnerability could allow the attacker to perform stored XSS attacks on the targeted system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Skyworth Router CM5100 via L2TP/PPTP Username parameter allows remote attackers to inject malicious scripts.

Vulnerability

The vulnerability exists in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user-supplied input for the L2TP/PPTP Username parameter at the web interface. A remote attacker can supply specially crafted input to this parameter, leading to stored cross-site scripting (XSS) [1].

Exploitation

An attacker needs network access to the router's web interface. No authentication is required if the interface is exposed, but typically the attacker would need to be on the same network or have credentials. The attacker submits a malicious payload as the L2TP/PPTP Username, which is stored and later executed when an administrator or user views the configuration page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The attack is stored, meaning the payload persists and affects any user who views the affected page [1].

Mitigation

As of the publication date (2024-01-17), no patch or fixed version has been announced. Users should restrict access to the web interface to trusted networks and monitor for firmware updates from Skyworth. The CERT-In note does not list a workaround [1].

References
  1. Vulnerability

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.