CVE-2023-23313 - Draytek Products Vulnerable to Cross Site Scripting (XSS) Attacks via the Router's Web Application Management Portal

Recently, a vulnerability has been discovered in several Draytek products which are susceptible to Cross Site Scripting (XSS) attacks. This vulnerability has been assigned the CVE number CVE-2023-23313. The affected products include Vigor391, Vigor100B, Vigor2962, Vigor2865, Vigor2866, Vigor2927, Vigor2915, Vigor2765, Vigor2766, Vigor2135, Vigor2763, Vigor2862, Vigor2926, Vigor2925, Vigor2952, Vigor322, Vigor2133, Vigor2762, and Vigor2832. The attacks specifically target the wlogin.cgi and user_login.cgi scripts in the web application management portal of the routers.

Exploit Details

The vulnerability exists due to insufficient sanitization of user-supplied input processed by the aforementioned CGI scripts in the web application management portal. Attackers can exploit this to inject malicious scripts which would be executed when an unsuspecting user accesses the management portal in their browser.

The following code snippet demonstrates a sample XSS payload that an attacker can use to exploit the vulnerability:

<script>alert('XSS');</script>

An attacker can craft a URL similar to the following URL, where router_url should be replaced with the actual router's URL, and sample_payload with the attacker's desired payload:

http://router_url/wlogin.cgi?user_name=sample_payload

The unsuspecting user would then be presented with an alert message once they access the faulty URL.

Mitigation

Draytek is expected to soon release patches for affected products. Users are highly recommended to update their devices to the latest firmware version once available. Until then, it is advised to inform users of the potential risks and to practice caution when accessing the router's web application management portal.

Conclusion

This vulnerability highlights the importance of timely security updates and awareness about the risks associated with using unpatched or older versions of router firmwares. While a patch is expected soon, users should take precautionary measures to avoid falling victim to possible XSS attacks.

Timeline

Published on: 03/03/2023 22:15:00 UTC
Last modified on: 03/10/2023 14:52:00 UTC