BDCOM P3310D Cross-Site Scripting Vulnerability in New User Page

A cross-site scripting (XSS) vulnerability has been identified in the BDCOM P3310D router, specifically in the version 0.4.2 10.1.0F Build 86345. The issue resides in the New User Page component, within the file '/index.asp'. The vulnerability arises because the application does not properly sanitize the 'User name' input before displaying it, allowing attackers to inject malicious scripts. This injected script is executed when the page is accessed, potentially leading to session hijacking or unauthorized actions.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the router's web interface and navigate to the New User Page under User Management. When creating a new user, enter a script payload in the 'User name' field. Once the user is created, the injected script will execute whenever the New User Page is accessed.