CVE-2019-10677

Name of the Vulnerable Software and Affected Versions DASAN Zhone ZNID GPON 2426A EU version S3.1.285

Description The issue affects the web interface of the device, allowing a remote attacker to execute arbitrary JavaScript code via manipulation of unsanitized GET parameters. Specifically, the name parameter in the /zhndnsdisplay.cmd endpoint and the wlWscCfgMethod and wl wsc reg parameters in the /wlsecrefresh.wl endpoint are vulnerable. This could potentially lead to Cross-Site Scripting (XSS) attacks.

Recommendations For DASAN Zhone ZNID GPON 2426A EU version S3.1.285, consider disabling access to the /zhndnsdisplay.cmd and /wlsecrefresh.wl endpoints until a patch is available. Additionally, restrict the use of the name, wlWscCfgMethod, and wl wsc reg parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.