CVE-2019-11017

Name of the Vulnerable Software and Affected Versions D-Link DI-524 version V2.06RU

Description The issue concerns multiple Stored and Reflected XSS vulnerabilities found in the Web Configuration of the device. Specifically, the vulnerabilities are located in the /spap.htm, /smap.htm, and /cgi-bin/smap API endpoints, with the RC parameter being exploited in the /cgi-bin/smap endpoint. This allows a remote attacker to inject JavaScript code into the device's web interface pages, including the web configuration files spap.htm and smap.htm.

Recommendations For D-Link DI-524 version V2.06RU, as a temporary workaround, consider disabling access to the /spap.htm, /smap.htm, and /cgi-bin/smap API endpoints until a patch is available. Additionally, restrict the use of the RC parameter in the /cgi-bin/smap endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.