TOTOLINK N150RT Cross-Site Scripting Vulnerability in IP Port Filtering Component

A cross-site scripting (XSS) vulnerability has been identified in the TOTOLINK N150RT router, specifically in the V2_Firmware V3.4.0-B20190525. The issue arises within the IP Port Filtering component on the Firewall page, where an unknown function of the file /home.htm improperly handles the 'Comment' input. This vulnerability can be exploited remotely, allowing attackers to inject malicious scripts that are executed in the context of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed when the affected page is visited by users.

Reproduction

To reproduce this vulnerability, navigate to the Firewall page and locate the IP/Port Filtering section. Enable the feature and enter a comment containing a JavaScript payload, such as an SVG image with an onload event. After applying the changes, the injected script will execute immediately and could be triggered again when the page is accessed by another user.