Nexxt Solutions NCM-X1800 Mesh Router Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Nexxt Solutions NCM-X1800 Mesh Router, specifically in firmware versions UV1.2.7 and below. This vulnerability allows attackers to inject JavaScript that is executed in the context of administrator sessions. The issue arises in the device management page, where the DEVICE_ALIAS parameter is sent to the /web/um_device_set_aliasname endpoint.

Impact

Exploitation of this vulnerability could lead to session hijacking, credential theft, or unauthorized actions being performed as an administrator.

Reproduction

To reproduce this vulnerability, log into the Nexxt Solutions NCM-X1800 Mesh Router with an administrator account. Navigate to the device management page and use the alias feature to inject a JavaScript payload into the DEVICE_ALIAS parameter. Once the alias is set, the injected script will execute when the device management page is viewed, taking place within the context of the admin session.