CVE-2024-51432

The vulnerability is a stored cross-site scripting (XSS) flaw in FiberHome HG6544C routers running firmware version RP2743. The SSID field, which is configurable through the web interface, is not sanitized before being displayed in the WiFi Clients List. This allows an attacker to inject malicious HTML and JavaScript code into the SSID name, as reported in [2].

An attacker with network access to the router's administrative interface can set a malicious SSID by connecting to the router's Wi-Fi and then accessing the configuration panel. The injected payload is then stored and rendered in the WiFi Clients List when any administrator views that page. No additional authentication is required beyond the initial access to the router's web interface.

If an administrator visits the WiFi Clients List, the attacker's JavaScript executes in the context of the administrator's session. This can lead to arbitrary actions being performed on the router, such as modifying settings, extracting credentials, or launching further attacks. The CVSS score of 4.8 indicates a medium severity due to the need for an administrator to view the list.

As of November 2024, no official patch has been released by FiberHome. Users are advised to avoid accessing the WiFi Clients List if untrusted devices are connected to the network. The vulnerability was publicly disclosed with a proof-of-concept exploit [2].