CVE-2019-13374

Name of the Vulnerable Software and Affected Versions D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100 BETA6

Description A cross-site scripting (XSS) issue in the PayAction.class.php resource view allows remote attackers to inject arbitrary web script or HTML via the passcode parameter in the "index.php/Pay/passcodeAuth" endpoint. This vulnerability is related to the lack of protection measures for the web page structure, which can be exploited by a remote attacker to inject malicious scripts or HTML code.

Recommendations For D-Link Central WiFi Manager CWM(100) versions prior to v1.03R0100 BETA6, update to version v1.03R0100 BETA6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "index.php/Pay/passcodeAuth" endpoint to minimize the risk of exploitation. Avoid using the passcode parameter in this endpoint until the issue is resolved.