CVE-2024-28092

Name of the Vulnerable Software and Affected Versions UBEE DDW365 XCNDDW365 version 8.14.3105 on hardware 3.13.1

Description The issue allows a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via several ASP pages, including RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, or RgParentalBasic.asp. The affected fields are SMTP Server Name, SMTP Username, Host Name, Time Server 1, Time Server 2, Time Server 3, Target, Add Keyword, Add Domain, and Add Allowed Domain.

Recommendations For UBEE DDW365 XCNDDW365 version 8.14.3105 on hardware 3.13.1, consider disabling access to the vulnerable ASP pages, such as RgFirewallEL.asp, RgDdns.asp, RgTime.asp, RgDiagnostics.asp, and RgParentalBasic.asp, until a patch is available. Restrict input for the affected fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.