MikroTik RouterOS Cross-Site Scripting Vulnerability in Hotspot Login

A cross-site scripting (XSS) vulnerability has been identified in the hotspot feature of MikroTik's RouterOS, affecting versions prior to 7.19.2. The issue arises from the login page, where a hidden 'dst' parameter can be manipulated to include 'javascript' payloads. When a user logs in through a crafted URL, the injected script executes. This vulnerability was confirmed in the latest RouterOS release.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into a MikroTik router with RouterOS version prior to 7.19.2 that has a hotspot configured. Submit a login request via POST that includes a 'dst' parameter with a 'javascript' payload. Alternatively, a GET request can be crafted with the same 'dst' injection, which will automatically log in the user and execute the script.

Remediation

Users are advised to update to MikroTik RouterOS version 7.19.2 or later, where this vulnerability has been fixed.