CVE-2020-25786

Name of the Vulnerable Software and Affected Versions D-Link DIR-816L version 2.06.B09 BETA D-Link DIR-803 version 1.04.B02

Description The issue allows for XSS via the HTTP Referer header in the webinc/js/info.php file. This typically is not exploitable due to URL encoding, except in Internet Explorer, and because a web page cannot specify that a client should make an additional HTTP request with an arbitrary Referer header. The vulnerability only affects products that are no longer supported by the maintainer.

Recommendations For D-Link DIR-816L version 2.06.B09 BETA, consider disabling access to the webinc/js/info.php file until a patch is available. For D-Link DIR-803 version 1.04.B02, consider disabling access to the webinc/js/info.php file until a patch is available. As a temporary workaround, restrict access to the vulnerable devices to minimize the risk of exploitation.