Vulnerability Title: Stored XSS via Unsanitized User Input in EDIMAX BR6288ACL v1.12 2.4GHz Wireless Configuration (wiz_WISP24gmanual.asp)
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: EDIMAX BR6288ACL v1.12
Component: EDIMAX BR6288ACL 2.4GHz Wireless Configuration (wiz_WISP24gmanual.asp)
The vulnerability exists in the wiz_WISP24gmanual.asp page, where user input from the manualssid field is directly passed to the configuration without proper sanitization. This allows an attacker to inject malicious JavaScript, which is stored in the router’s configuration. When the configuration is accessed again, the injected payload executes, leading to Stored Cross-Site Scripting (XSS).
The wiz_WISP24gmanual.asp page handles user input for the 2.4GHz wireless configuration, where the manualssid parameter is used to set the SSID value. Although basic checks are performed to ensure the field is not empty and meets length requirements, the input is not sanitized or encoded to filter special characters such as <, >, ", ', and &.
As a result, an attacker can inject a malicious JavaScript payload into the manualssid field (e.g., <script>alert('XSS')</script>). This value is stored in the device configuration and later rendered directly in the web interface. When the affected page is loaded, the injected script is executed in the victim’s browser context, resulting in a Stored Cross-Site Scripting (XSS) vulnerability.
This lack of sanitization allows attackers to inject malicious JavaScript into the Wireless Network Name (SSID) field, leading to Stored XSS when the configuration is displayed, potentially causing session hijacking or unauthorized actions.
