CVE-2018-17989

Name of the Vulnerable Software and Affected Versions D-Link DSL-3782 version 1.01

Description A stored XSS issue exists in the web interface, allowing authenticated attackers to inject JavaScript or HTML payload inside the ACL page. The injected payload is executed in a user's browser when the "/cgi-bin/New GUI/Acl.asp" API endpoint is requested.

Recommendations For D-Link DSL-3782 version 1.01, as a temporary workaround, consider restricting access to the "/cgi-bin/New GUI/Acl.asp" API endpoint until a patch is available. Avoid using the ACL page in the web interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.