CVE-2024-53943

Name of the Vulnerable Software and Affected Versions NRadio N8-180 NROS version 1.9.2.n3.c5

Description An issue was discovered in NRadio devices, where the "/cgi-bin/luci/nradio/basic/radio" endpoint is vulnerable to XSS via the 2.4 GHz and 5 GHz name parameters. This allows an attacker to execute JavaScript within the context of the current user by injecting JavaScript into the SSID field. If an administrator logs into the device, the injected script runs in their browser, executing the malicious payload.

Recommendations For NRadio N8-180 NROS version 1.9.2.n3.c5, as a temporary workaround, consider disabling access to the "/cgi-bin/luci/nradio/basic/radio" endpoint until a patch is available. Restrict the use of the 2.4 GHz and 5 GHz name parameters in this endpoint to minimize the risk of exploitation. Avoid using the SSID field in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.