D-Link DSL-2740R Cross-Site Scripting Vulnerability in Wireless Setup Section

A cross-site scripting (XSS) vulnerability has been identified in the D-Link DSL-2740R router, specifically in the EU_01.15 version. The issue arises in the Wireless Setup section, where the Wireless Network Name (SSID) field does not properly sanitize user input. This flaw allows the injection of malicious payloads, which are then stored and executed in the context of the user's browser when the Status page is accessed. The vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user’s browser, potentially leading to session hijacking or unauthorized actions within the administrative interface.

Reproduction

To reproduce this vulnerability, log into the D-Link DSL-2740R router and navigate to the Wireless Setup section. Modify the Wireless Network Name (SSID) field by inserting a malicious payload, such as an image tag with an 'onerror' event. Once the payload is saved, it will be executed when the Status page is viewed, demonstrating the cross-site scripting vulnerability.