Grandstream GXP1625 Cross-Site Scripting Vulnerability in Network Status Page

A cross-site scripting (XSS) vulnerability has been identified in the Grandstream GXP1625 phone, specifically in version 1.0.7.4. The issue arises in the Network Status Page component, within an unknown function of the file '/cgi-bin/api.values.post'. The vulnerability is triggered by manipulating the 'vpn_ip' argument, allowing for basic cross-site scripting. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, a normal user can update the 'vpn_ip' system variable with an XSS payload through the '/cgi-bin/api.values.post' endpoint. Once the payload is stored, it will be executed each time the Network Status Page is visited. This could be used to steal cookies from an admin user for further actions.