Datacom DM4100 Cross-Site Scripting Vulnerability in Ethernet Configuration Page
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in the Datacom DM4100 router, specifically in version 1.3.6.1.4.1.3709. The issue arises in the Ethernet Configuration Page, where the application fails to properly sanitize input in the 'Name' field. This lack of input validation allows the injection of malicious scripts, which are executed when the page is accessed. The vulnerability can be exploited remotely and requires user interaction.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to session hijacking or unauthorized actions within the router's management interface.
Reproduction
To reproduce this vulnerability, log into the Datacom DM4100 router interface and navigate to the Ethernet Configuration Page. In the 'Name' field, enter a script payload, such as an image tag with an 'onerror' event. Once the payload is submitted, it will be stored and executed when the page is revisited, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.