D-Link DAP-2695 Cross-Site Scripting Vulnerability in Static Pool Settings Page

A cross-site scripting vulnerability has been identified in the D-Link DAP-2695 access point, specifically in the firmware version 120b36r137_ALL_en_20210528. The issue arises in an unknown function of the file /adv_dhcps.php, within the Static Pool Settings Page component. The vulnerability is triggered by manipulating the f_mac argument, allowing remote attackers to inject malicious scripts. It is important to note that this vulnerability affects products that are no longer supported by the manufacturer.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the Static Pool Settings Page on a D-Link DAP-2695 access point running the affected firmware version. Manipulate the f_mac argument to inject a script. Once the argument is processed, the injected script will be executed, demonstrating the cross-site scripting vulnerability.