CVE-2024-27684

Vulnerability

A Cross-site scripting (XSS) vulnerability exists in multiple CGI endpoints — dlapn.cgi, dldongle.cgi, dlcfg.cgi, fwup.cgi, and seama.cgi — in D-Link GORTAC750_A1_FW_v101b03. The url parameter is not sanitized before being reflected in the response, allowing injection of arbitrary web script or HTML. The vulnerability is present in firmware version v101b03 of the GORTAC750 A1 device [1].

Exploitation

An attacker can craft a malicious URL containing JavaScript or HTML payloads in the url parameter and trick a target user into accessing it. The attack does not require authentication (remote exploitation) and works over HTTP/HTTPS without any special network position beyond the ability to deliver the crafted link to a victim (e.g., via phishing). No user interaction beyond clicking the link is required [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected device's web interface. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impacts are information disclosure and unauthorized actions performed with the victim's session privileges (typically admin-level on the router) [1].

Mitigation

As of publication date 2024-03-04, D-Link has not released a patched firmware version for GORTAC750 A1. The device is listed under D-Link's End-of-Life (EOL) policy, meaning no further security updates are planned [1]. Users are advised to replace the device with a supported model or, if replacement is not possible, restrict access to the web interface to trusted networks only and avoid clicking untrusted links while logged into the router. No workaround is provided by the vendor.