TOTOLINK A3002RU Cross-Site Scripting Vulnerability in NAT Mapping Page

A cross-site scripting (XSS) vulnerability has been identified in the TOTOLINK A3002RU router, specifically in version 2.1.1-B20230720.1011. The issue arises on the NAT Mapping page, where an unknown function fails to properly sanitize the 'Comment' input. This vulnerability can be exploited remotely, allowing attackers to inject malicious scripts that are stored and executed when the page is visited.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the NAT Mapping page.

Reproduction

To reproduce this vulnerability, navigate to the NAT Mapping page in the router's settings. In the Comment input box, enter a payload such as '<svg/onload=alert()>' and click the Apply button. The injected script will be executed immediately, demonstrating the cross-site scripting vulnerability. Since this is a stored XSS issue, the script will also execute for other users who visit the page.