CVE-2018-19922

Name of the Vulnerable Software and Affected Versions Actiontec C1000A router with firmware through CAC004-31.30L.95

Description The issue concerns a Persistent Cross-Site Scripting (XSS) flaw in the advancedsetup websiteblocking.html Website Blocking page. This allows a remote attacker to inject arbitrary HTML into the Website Blocking page. The exploitation occurs by inserting arbitrary HTML into the TodUrlAdd URL parameter in a "/urlfilter.cmd" POST request.

Recommendations For Actiontec C1000A router with firmware through CAC004-31.30L.95, avoid using the TodUrlAdd parameter in the "/urlfilter.cmd" POST request until the issue is resolved. As a temporary workaround, consider restricting access to the Website Blocking page to minimize the risk of exploitation.