D-Link’s 2760N (DSL-2760U-BN) routers allegedly contain a number of stored and reflective cross-site scripting (XSS) vulnerabilities.
Researcher Liad Mizrachi said he contacted D-Link to disclose the details of the bugs to them on six separate occasions – twice in August, twice in September, and once in October – but that the vendor has failed to respond to any of the disclosures. Threatpost reached out to D-Link for comment but it did not respond to the request before publication.
The multiple vulnerabilities are present in a various sections of the router’s Web user-interface.
According to a posting on the Full Disclosure Mailing list, the 2760N router’s XSS bugs exist in the NTS settings, parental control, URL filtering, NAT port triggering, IP filtering, interface grouping, simple network managing protocol, incoming IP filter, policy routing, printer server, SAMBA configuration, and Wi-Fi SSID Web interfaces respectively.
These bugs follow a more serious backdoor vulnerability that emerged last month and could have given an attacker the ability to access affected routers and perform any action he or she pleased. D-Link is reportedly in the process of patching that bug.