Cross-Site Scripting Vulnerability in Allegro RomPager Affecting Multiple Routers
CVE-2013-6786

Currently unrated

Key Information:

Vendor: Zyxel
Status: P-660hw D1; Wl-174; Rompager; Td-8816
Vendor: CVE Published:; 16 January 2014

Summary

A cross-site scripting (XSS) vulnerability exists in Allegro RomPager prior to version 4.51, used on various router models. This vulnerability allows remote attackers to execute arbitrary web scripts or HTML through the exploitation of a flaw in the 'forbidden author header' protection mechanism. By sending a crafted HTTP Referer header and requesting a nonexistent URI, attackers can bypass protections and inject malicious code into the response generated by the 404 error page. This can lead to unauthorized access to sensitive information or enable phishing attacks on affected users.

References

http://antoniovazquezblanco.github.io/docs/advisories/Adv...

x_refsource_MISC

http://osvdb.org/99694

vdb-entryx_refsource_OSVDB

http://osvdb.org/ref/99/rompager407.pdf

x_refsource_MISC

Timeline

Vulnerability published
Jan 16, 2014
Vulnerability Reserved
Nov 12, 2013