CVE-2022-40846 Tenda AC1200 Router has a stored XSS vulnerability that allows an attacker to execute JavaScript code via the applications stored hostname.

CVE-2022-40846 Tenda AC1200 Router has a stored XSS vulnerability that allows an attacker to execute JavaScript code via the applications stored hostname.

An attacker can exploit this vulnerability to perform remote code execution in the context of the affected application or the user of the affected application.
A vulnerability has been discovered in the web-based management interface of Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) allowing an attacker to conduct a reflected cross site scripting attack. An attacker can exploit this vulnerability to execute arbitrary script code in the context of the affected application or the user of the affected application.

It was reported that there are many Android devices with Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) installed. The system-level Android app lacks a proper authorization mechanism and lacks the same level of security as the native iOS app. An attacker can exploit this vulnerability to conduct a reflected cross-site scripting attack.

It was discovered that Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) has a feature named “Connections”. Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) allows access to the “Connections” feature by default. These details were discovered by Eviota security researchers. By default, “Connections” provides remote access to the router settings. An attacker can use this remote access to conduct a reflected cross-site scripting attack.

It was

Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) Router Overview

Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) is a router for home networks. Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) is powered by the Linux operating system and has a web-based management interface that allows users to configure settings of their router remotely.

The vulnerable feature in Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) which can be exploited by an attacker is its web-based management interface which lacks proper authorization mechanisms and security measures that would prevent remote access to the device settings and remote cross-site scripting attacks, according to the vulnerability report disclosed on Eviota Security website

Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) Web Based Management API

A remote code execution vulnerability has been discovered in the web-based management interface of Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) allowing an attacker to conduct a reflected cross site scripting attack.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe