Lorenzo Comi

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-3782 version 1.01 **Description** The issue is related to insufficient argument validation in the Acl.asp component of the D-Link DSL-3782 router's microprogram, which can be exploited by a remote attacker to execute arbitrary commands using the `ScrIPaddrEndTXT` parameter. This can allow the attacker to perform unauthorized actions. **Recommendations** For version 1.01, consider restricting access to the Acl.asp component until a patch is available. As a temporary workaround, avoid using the `ScrIPaddrEndTXT` parameter in the affected CLI commands to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-3782 version 1.01 **Description** A stored XSS issue exists in the web interface, allowing authenticated attackers to inject JavaScript or HTML payload inside the ACL page. The injected payload is executed in a user's browser when the "/cgi-bin/New GUI/Acl.asp" API endpoint is requested. **Recommendations** For D-Link DSL-3782 version 1.01, as a temporary workaround, consider restricting access to the "/cgi-bin/New GUI/Acl.asp" API endpoint until a patch is available. Avoid using the ACL page in the web interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.