Claro A7600-A1 Wlan Router Cross-Site Scripting Vulnerability in Ping6 Diagnóstico Component
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the Claro A7600-A1 router, specifically in the Ping6 Diagnóstico component. This issue arises in the file '/form2pingv6.cgi', where the 'ip6addr' argument can be manipulated with unvalidated input, such as an image tag designed to trigger a JavaScript prompt. The vulnerability can be exploited remotely, but requires authentication and user interaction.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser, potentially leading to the theft of sensitive information or session cookies.
Reproduction
To reproduce this vulnerability, send a POST request to '/form2pingv6.cgi' with the 'ip6addr' parameter containing a crafted image tag that exploits the 'onerror' event. This request must be made from an authenticated user session.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.