PT-2018-15166 · Actiontec · Actiontec C1000A
Published
2018-12-06
·
Updated
2019-02-01
·
CVE-2018-19922
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Actiontec C1000A router with firmware through CAC004-31.30L.95
Description
The issue concerns a Persistent Cross-Site Scripting (XSS) flaw in the advancedsetup websiteblocking.html Website Blocking page. This allows a remote attacker to inject arbitrary HTML into the Website Blocking page. The exploitation occurs by inserting arbitrary HTML into the
TodUrlAdd URL parameter in a "/urlfilter.cmd" POST request.Recommendations
For Actiontec C1000A router with firmware through CAC004-31.30L.95, avoid using the
TodUrlAdd parameter in the "/urlfilter.cmd" POST request until the issue is resolved. As a temporary workaround, consider restricting access to the Website Blocking page to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Actiontec C1000A