CVE-2018-6528

Name of the Vulnerable Software and Affected Versions D-Link DIR-860L versions prior to DIR860LA1 FW110b04 D-Link DIR-865L versions prior to DIR-865L REVA FIRMWARE PATCH 1.08.B01 D-Link DIR-868L versions prior to DIR868LA1 FW112b04

Description The issue is related to improper input validation in the htdocs/webinc/body/bsc sms send.php script of D-Link router software. This can be exploited by a remote attacker to conduct an XSS attack via a specially crafted parameter for soap.cgi, potentially allowing the attacker to read cookies.

Recommendations For D-Link DIR-860L versions prior to DIR860LA1 FW110b04, update to a version newer than DIR860LA1 FW110b04. For D-Link DIR-865L versions prior to DIR-865L REVA FIRMWARE PATCH 1.08.B01, update to a version newer than DIR-865L REVA FIRMWARE PATCH 1.08.B01. For D-Link DIR-868L versions prior to DIR868LA1 FW112b04, update to a version newer than DIR868LA1 FW112b04. As a temporary workaround, consider restricting access to the soap.cgi endpoint and the receiver parameter to minimize the risk of exploitation.