D-Link DAP-2695 Cross-Site Scripting Vulnerability in ARP Spoofing Prevention Page

A cross-site scripting (XSS) vulnerability has been identified in the D-Link DAP-2695 access point, specifically in the firmware version 120b36r137_ALL_en_20210528. The issue arises on the ARP Spoofing Prevention page, where the 'Gateway MAC Address' field is not properly validated on the server side. This flaw allows remote attackers to inject malicious scripts that are executed when the page is viewed by others.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the ARP Spoofing Prevention page.

Reproduction

To reproduce this vulnerability, access the ARP Spoofing Prevention page on the D-Link DAP-2695. Use Burp Suite to intercept the request when adding a new ARP spoofing prevention rule. Modify the 'harp_mac' parameter to include a script payload, such as an SVG image with an 'onload' event. Send the modified request and refresh the ARP Spoofing Prevention page to execute the injected script.