Smoothwall Express Stored Cross-Site Scripting Vulnerability in Modem.cgi

A stored cross-site scripting vulnerability has been identified in Smoothwall Express version 3.1-SP4-polar-x86_64-update9. The issue resides in the modem.cgi script, where attackers can inject malicious scripts through POST parameters. Vulnerable parameters include INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, and PULSE_DIAL. When the stored data is accessed, the injected scripts are executed as arbitrary JavaScript in the users' browsers.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a POST request to the modem.cgi script with one of the vulnerable parameters (INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, or PULSE_DIAL). Include a script payload in the parameter value. Once the payload is injected, it will be executed as JavaScript when the stored data is retrieved.