CVE-2013-5223
published 2013-11-19CVE-2013-5223: Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or…
PriorityP274medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
33.57%
98.2th percentile
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or HTML via the (1) ntpServer1 parameter to sntpcfg.cgi, username parameter to (2) ddnsmngr.cmd or (3) todmngr.tod, (4) TodUrlAdd parameter to urlfilter.cmd, (5) appName parameter to scprttrg.cmd, (6) fltName in an add action or (7) rmLst parameter in a remove action to scoutflt.cmd, (8) groupName parameter to portmapcfg.cmd, (9) snmpRoCommunity parameter to snmpconfig.cgi, (10) fltName parameter to scinflt.cmd, (11) PolicyName in an add action or (12) rmLst parameter in a remove action to prmngr.cmd, (13) ippName parameter to ippcfg.cmd, (14) smbNetBiosName or (15) smbDirName parameter to samba.cgi, or (16) wlSsid parameter to wlcfg.wl.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dlink | dsl-2760u_firmware | < 1.12 | 1.12 |
Detection & IOCsextracted from sources · hover to see the quote
url/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27XLabs%27%29%3C%2fscript%3E&mac=AA:BB:CC:DD:EE:FF&days=1&start_time=720&end_time=840↗
url/todmngr.tod?action=set_url&TodUrlAdd=GameOver%3Cscript%20src%3D%27%2f%2fxlabs.com.br%2fxssi.js%27%3E%3C%2fscript%3E&port_num=1234↗
- →Monitor HTTP GET requests to any of the vulnerable CGI/CMD endpoints (sntpcfg.cgi, ddnsmngr.cmd, todmngr.tod, urlfilter.cmd, scprttrg.cmd, scoutflt.cmd, portmapcfg.cmd, snmpconfig.cgi, scinflt.cmd, prmngr.cmd, ippcfg.cmd, samba.cgi, wlcfg.wl) containing URL-encoded script tags (e.g., %3Cscript%3E) in parameter values. ↗
- →Detect exploit tool activity by alerting on the User-Agent string 'XLabs Security Exploit Browser/1.0' in HTTP request logs targeting D-Link gateway management interfaces. ↗
- →Alert on GET requests to /todmngr.tod with action=add or action=set_url containing URL-encoded HTML/script payloads in the username or TodUrlAdd parameters, as used by the proof-of-concept exploits. ↗
- →Flag outbound script loads from device management pages to external domains (e.g., xlabs.com.br/xssi.js), which indicate successful stored XSS exploitation via the TodUrlAdd parameter. ↗
- ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not possible per the CVE description. ↗
- ·The CVE specifically affects D-Link DSL-2760U Gateway Rev. E1; the exploit-db PoCs target the related DSL-500B Gen 2 model, so detection rules should account for both device variants on the network. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pjh8-cj3j-fv9q: Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev
ghsa_unreviewed·2022-05-17
CVE-2013-5223 [LOW] CWE-79 GHSA-pjh8-cj3j-fv9q: Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or HTML via the (1) ntpServer1 parameter to sntpcfg.cgi, username parameter to (2) ddnsmngr.cmd or (3) todmngr.tod, (4) TodUrlAdd parameter to urlfilter.cmd, (5) appName parameter to scprttrg.cmd, (6) fltName in an add action or (7) rmLst parameter in a remove action to scoutflt.cmd, (8) groupName parameter to portmapcfg.cmd, (9) snmpRoCommunity parameter to snmpconfig.cgi, (10) fltName parameter to scinflt.cmd, (11) PolicyName in an add action or (12) rmLst parameter in a remove action to prmngr.cmd, (13) ippName parameter to ippcfg.cmd, (14) smbNetBiosName or (15) smbDirName parameter to samba.cgi, or (16) wlSsid parameter to wlcfg.wl.
VulnCheck
D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability
vulncheck·2013·CVSS 5.4
CVE-2013-5223 [MEDIUM] CWE-79 D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability
D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability
A cross-site scripting (XSS) vulnerability exists in the D-Link DSL-2760U gateway, allowing remote authenticated users to inject arbitrary web script or HTML.
Affected: D-Link DSL-2760U
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github; https://www.fortiguard.com/threat-signal-report/4389/botenago-malware-targets-multiple-iot-devices; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
CISA
D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability
cisa·2022-03-25·CVSS 5.4
CVE-2013-5223 [MEDIUM] CWE-79 D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability
Vulnerability: D-Link DSL-2760U Gateway Cross-Site Scripting Vulnerability
Affected: D-Link DSL-2760U
A cross-site scripting (XSS) vulnerability exists in the D-Link DSL-2760U gateway, allowing remote authenticated users to inject arbitrary web script or HTML.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-5223
Remediation Due Date: 2022-04-15
No detection rules found.
Exploit-DB
D-Link DSL-500B Gen 2 - Parental Control Configuration Panel Persistent Cross-Site Scripting
exploitdb·2015-05-11
CVE-2013-5223 D-Link DSL-500B Gen 2 - Parental Control Configuration Panel Persistent Cross-Site Scripting
D-Link DSL-500B Gen 2 - Parental Control Configuration Panel Persistent Cross-Site Scripting
---
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
if (@ARGV != 3){
print "\n
Exploit-DB
D-Link DSL-500B Gen 2 - URL Filter Configuration Panel Persistent Cross-Site Scripting
exploitdb·2015-05-11
CVE-2013-5223 D-Link DSL-500B Gen 2 - URL Filter Configuration Panel Persistent Cross-Site Scripting
D-Link DSL-500B Gen 2 - URL Filter Configuration Panel Persistent Cross-Site Scripting
---
#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod URL Filter
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;
my $ip = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];
if (@ARGV != 3){
prin
No writeups or analysis indexed.
http://osvdb.org/99603http://osvdb.org/99604http://osvdb.org/99605http://osvdb.org/99606http://osvdb.org/99607http://osvdb.org/99608http://osvdb.org/99609http://osvdb.org/99610http://osvdb.org/99611http://osvdb.org/99612http://osvdb.org/99613http://osvdb.org/99615http://osvdb.org/99616http://packetstormsecurity.com/files/123976http://seclists.org/fulldisclosure/2013/Nov/76http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10002https://exchange.xforce.ibmcloud.com/vulnerabilities/88723https://exchange.xforce.ibmcloud.com/vulnerabilities/88724http://osvdb.org/99603http://osvdb.org/99604http://osvdb.org/99605http://osvdb.org/99606http://osvdb.org/99607http://osvdb.org/99608http://osvdb.org/99609http://osvdb.org/99610http://osvdb.org/99611http://osvdb.org/99612http://osvdb.org/99613http://osvdb.org/99615http://osvdb.org/99616http://packetstormsecurity.com/files/123976http://seclists.org/fulldisclosure/2013/Nov/76http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10002https://exchange.xforce.ibmcloud.com/vulnerabilities/88723https://exchange.xforce.ibmcloud.com/vulnerabilities/88724https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-5223
2013-11-19
Published
2022-03-25
Added to CISA KEV
Exploited in the wild