Decodex01

**Name of the Vulnerable Software and Affected Versions** Huawei MT882 V100R002B020 ARG-T version 3.7.9.98 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters in various scripts. The affected parameters include `BackButton` to "error 1", `wzConnFlag` to "fresh pppoe 1", `diag pppindex argen` and `DiagStartFlag` to "rpDiag argen 1", `wzdmz active` and `wzdmzHostIP` to "rpNATdmz argen 1", `wzVIRTUALSVR endPort`, `wzVIRTUALSVR endPortLocal`, `wzVIRTUALSVR IndexFlag`, `wzVIRTUALSVR localIP`, `wzVIRTUALSVR startPort`, and `wzVIRTUALSVR startPortLocal` to "rpNATvirsvr argen 1", `Connect DialFlag`, `Connect DialHidden`, and `Connect Flag` to "rpStatus argen 1", `Telephone select` and `wzFirstFlag` to "rpwizard 1", and `wzConnectFlag` to "rpwizPppoe 1". **Recommendations** To resolve the issue, update the firmware to a version that includes the fix for this problem. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Huawei MT882 V100R002B020 ARG-T version 3.7.9.98 **Description** The issue concerns a form in rpwizPppoe.htm that does not disable the autocomplete setting for the `password` parameter. This makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. **Recommendations** For version 3.7.9.98, consider disabling the autocomplete feature for the `password` parameter in the rpwizPppoe.htm form to prevent easy access to the password.