CVE-2024-41584

Name of the Vulnerable Software and Affected Versions: DrayTek Vigor3910 versions 4.3.2.6 and earlier

Description: The issue is caused by a reflected XSS vulnerability due to missing validation of the sFormAuthStr parameter. This allows authenticated users to conduct cross-site scripting attacks. The vulnerability exists in the wlogin.cgi script of the web interface of DrayTek Vigor3910 devices, which fails to protect the structure of web pages, enabling remote attackers to perform inter-site scripting attacks.

Recommendations: For DrayTek Vigor3910 versions 4.3.2.6 and earlier, as a temporary workaround, consider disabling the wlogin.cgi script until a patch is available. Restrict access to the vulnerable sFormAuthStr parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.