Headline
CVE-2022-40010: Tenda AC6 AC1200 15.03.06.50_multi Cross Site Scripting ≈ Packet Storm
Tenda AC6 AC1200 Smart Dual-Band WiFi Router 15.03.06.50_multi was discovered to contain a cross-site scripting (XSS) vulnerability via the deviceId parameter in the Parental Control module.
# Exploit Title: Stored Cross-Site scripting in the Tenda router via the deviceId parameter in the Parental Control module# Google Dork: None.# Date: Aug-30-2022# Exploit Author: 0x783# Vendor Homepage: https://tendacn.com/default.html# Software Link: https://www.tendacn.com/product/download/AC6.html# Version: AC6 AC1200 Smart Dual-Band WiFi Router - V15.03.06.50_multi# Tested on: Linux 5.15.0-58-generic# CVE : CVE-2022-40010-------------------------------------------------------------------------# 1. Technical Description:Tenda AC6 AC1200 Smart Dual-Band WiFi Router V15.03.06.50 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the deviceId parameter in the parental control section.# Steps to reproduce:1- Navigate to the router webserver usually at "http://192.168.0.1", or whatever the address of the router is.2- Navigate to the parental control section from the side bar.3- Add a new device to the list with any fake MAC address, device name, URL.4- Intercept the request using burpsuite and change the "deviceId" parameter to any javascript code (EX: <script>alert(document.domain")</script>).5- A pop-up with the domain should appear.
Related news
Tenda AC6 AC1200 15.03.06.50_multi Cross Site Scripting
Tenda AC6 AC1200 version 15.03.06.50_multi suffers from a persistent cross site scripting vulnerability.