Arcadyan Meteor 2 CPE FG360 Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Arcadyan Meteor 2 CPE FG360 firmware version ETV2.10. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload, taking advantage of the firmware's inadequate input validation on WiFi SSID fields. The injected scripts are executed in the context of users' web browsers when they access the router's homepage.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the router's homepage.

Reproduction

To reproduce this vulnerability, log into the router's interface and navigate to the WiFi SSID creation section. Create a new SSID by injecting an XSS payload, such as an image tag with an 'onerror' event. Once the SSID is saved, the payload will execute automatically on the homepage when the user logs in.