Wavlink AC3000 Persistent Cross-Site Scripting Vulnerability in Login CGI

A cross-site scripting vulnerability has been identified in the Wavlink AC3000 router, specifically in the login.cgi file's set_lang_CountryCode() function, within the version M33A8.V5030.210505. This vulnerability allows for the injection of malicious scripts through a crafted HTTP request, which can then be executed in the context of the user's browser. The issue arises because the login.cgi file does not properly validate user authentication, leaving it open to unauthenticated attacks. Exploiting this vulnerability could lead to the disclosure of sensitive information or the injection of persistent XSS scripts that could be executed on the router's web interface.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to the theft of session cookies or administrative credentials.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the login.cgi page with the 'page' parameter set to 'test'. Include a crafted 'langue' parameter that contains the script payload. The injected script will be executed when the 'Language' variable is accessed on the router's web interface.