Stored and Reflected XSS Vulnerabilities in D-Link DI-524 Devices
CVE-2019-11017

4.8MEDIUM

Key Information:

Vendor: D-Link
Status: Di-524 Firmware
Vendor: CVE Published:; 18 April 2019

What is CVE-2019-11017?

Multiple Stored and Reflected Cross-Site Scripting (XSS) vulnerabilities exist in the web configuration interface of D-Link DI-524 V2.06RU devices. These vulnerabilities can be exploited through specially crafted requests to the vulnerable endpoints, including /spap.htm, /smap.htm, and /cgi-bin/smap. Successful exploitation may allow attackers to execute arbitrary scripts in the context of a user's session, potentially compromising sensitive data and affecting user interactions with the device.

References

http://packetstormsecurity.com/files/152465/D-Link-DI-524...

x_refsource_MISC

https://www.exploit-db.com/exploits/46687

exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2019
Vulnerability Reserved
Apr 8, 2019