关联漏洞
标题:
N/A
(CVE-2025-26202)
描述:在DZS路由器Web界面的无线安全设置(2.4GHz和5GHz频段)中的WPA/WAPI密码字段中存在跨站脚本(XSS)漏洞。经过身份验证的攻击者可以将恶意的JavaScript注入到密码字段中,该脚本会被存储并在管理员通过状态页面上的"点击此处显示"选项查看密码时被执行。
介绍
# CVE-2025-26202-Details
# CVE-2025-26202: Cross-Site Scripting (XSS) in DZS Router Web Interface
## Description
A **Cross-Site Scripting (XSS)** vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in the DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page.
## Affected Products
- **Vendor**: DZS
- **Product**: ZNID-GPON-2428B1-0ST
- **Firmware Version**: S4.2.022
## Vulnerability Type
- **Cross-Site Scripting (XSS)**
## Impact
- **Session Hijacking**: An attacker can hijack the administrator's session.
- **Arbitrary Actions**: An attacker can perform actions on behalf of the authenticated user.
## Affected Component
The vulnerability exists in the following pages:
- Wireless Security Configuration Page (2.4GHz & 5GHz)
- WPA/WAPI Passphrase Field
- Status Page (`<a href="javascript:pin_window()">...</a>`)
## Attack Vectors
### Steps to Reproduce
1. **Login to the Router Web Interface**
- Open a web browser and navigate to the router's admin panel (e.g., `http://192.168.100.1`).
- Enter valid admin credentials.
2. **Inject the Malicious XSS Payload in Both Wireless Bands**
- **For 2.4GHz Band (wl0):**
1. Navigate to **Wireless > Security** under 2.4GHz (wl0).
2. Locate the **WPA/WAPI Passphrase** field.
3. Inject the following XSS payload into the passphrase field:
```html
</center><script>alert("XSS Triggered")</script>
```
4. Click **Apply/Save** to store the malicious payload.
- **For 5GHz Band (wl1):**
1. Repeat the same steps as above in 5GHz (wl1) Security Settings.
3. **Trigger the XSS Execution**
- **For 2.4GHz Band (wl0):**
1. Navigate to **Status** from the navigation menu.
2. Click **2.4GHz (wl0)**.
3. Click **"Click here to display"** next to the Password field.
4. The XSS payload executes inside the pop-up.
- **For 5GHz Band (wl1):**
1. Perform the same steps in **Status > 5GHz (wl1)** to trigger the XSS.
## Discoverer
- **Name**: Asim Barnawi
## References
- [DZS Official Website](https://dzsi.com)
- [ZNID-GPON-2428B1-0ST Product Page](https://dzsi.com/product/2428b1/)
## Mitigation
- **Vendor Action**: The vendor should sanitize user input in the WPA/WAPI Passphrase field to prevent the execution of malicious scripts.
---
**Disclaimer**: This repository is for informational purposes only. The discoverer and publisher of this information are not responsible for any misuse of the disclosed vulnerability.
文件快照
[4.0K] /data/pocs/5973a6a5303dd768c7b5156eb7f74ed5b786610d
└── [2.7K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。