CVE-2020-29655

Name of the Vulnerable Software and Affected Versions RT-AC88U Download Master versions prior to 3.1.0.108

Description An injection issue exists, allowing an attacker to influence the appearance of the login page. Accessing "Main Login.asp?flag=1&productname=FOOBAR&url=/downloadmaster/task.asp" will redirect to the login site, displaying the value of the productname parameter within the title. This could enable an attacker to manipulate the login page's appearance.

Recommendations For versions prior to 3.1.0.108, update to version 3.1.0.108 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Main Login.asp" endpoint until a patch is applied. Avoid using the productname parameter in the affected API endpoint until the issue is resolved.