Intelbras RX1500 and RX3000 Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Intelbras RX1500 router running firmware version 2.2.9 and the RX3000 router on version 1.0.11. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the name of a connected device. The issue arises from inadequate input validation in the device name field, enabling the injection of persistent JavaScript that is executed when the injected data is viewed.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an authenticated user can inject a script payload into the 'Name' field of a connected device via the 'Home > Connected clients' configuration feature. Alternatively, the same injection can be performed through the 'Settings > Wi-Fi > Guest Network' menu by inserting a script into the 'Wi-Fi network name' field for either the 2.4GHz or 5GHz networks. Once the payload is injected, it will execute when the corresponding network or client information is accessed.

Remediation

Users are advised to update to the beta firmware version 2.2.12 for the RX1500 and version 1.0.21 for the RX3000, both released on November 19, 2024.