LB-Link BL-CPE300M AX300 4G LTE Router Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the LB-Link BL-CPE300M AX300 4G LTE router, specifically in the 01.01.02P42U14_06 version. The vulnerability resides in the router's web interface, particularly within the '/goform/goform_get_cmd_process' endpoint. This endpoint fails to properly sanitize user input in the 'cmd' parameter before reflecting it in a text/html response. As a result, unauthenticated attackers can inject arbitrary JavaScript, which is executed in the context of the router's origin when the manipulated URL is accessed. Exploitation of this vulnerability requires user interaction.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the user's browser as if they originated from the router's web interface.

Reproduction

To reproduce this vulnerability, access the router's web interface through a browser. Navigate to the '/goform/goform_get_cmd_process' endpoint and include a crafted 'cmd' parameter that injects JavaScript, such as a script that triggers an alert. Once the URL is accessed, the injected script will execute immediately due to the lack of input validation.