CVE-2015-1028

Name of the Vulnerable Software and Affected Versions D-Link DSL-2730B router (rev C1) with firmware GE 1.01

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via several parameters, including the domainname parameter to "dnsProxy.cmd" (DNS Proxy Configuration Panel), the brName parameter to "lancfg2get.cgi" (Lan Configuration Panel), the wlAuthMode, wl wsc reg, or wl wsc mode parameters to "wlsecrefresh.wl" (Wireless Security Panel), or the wlWpaPsk parameter to "wlsecurity.wl" (Wireless Password Viewer).

Recommendations For D-Link DSL-2730B router (rev C1) with firmware GE 1.01, consider restricting access to the DNS Proxy Configuration Panel, Lan Configuration Panel, Wireless Security Panel, and Wireless Password Viewer until a patch is available. As a temporary workaround, avoid using the domainname, brName, wlAuthMode, wl wsc reg, wl wsc mode, and wlWpaPsk parameters in their respective panels to minimize the risk of exploitation.