- Description
- Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.
- Source
- cve@mitre.org
- NVD status
- Analyzed
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:N/I:P/A:N
- nvd@nist.gov
- CWE-79
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:allegrosoft:rompager:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FDBB61DF-D173-4046-B619-C762147742A8",
"versionEndIncluding": "4.07"
},
{
"criteria": "cpe:2.3:h:dlink:dsl-2640r:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3F29B74A-18E6-45AD-BACD-27AA2777DB70"
},
{
"criteria": "cpe:2.3:h:dlink:dsl-2641r:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "62B6395E-1FEF-4F66-9B50-8E9038AD469A"
},
{
"criteria": "cpe:2.3:h:huawei:mt882:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0527EC70-2D03-4BEB-A1CB-F34DC1AB1BE8"
},
{
"criteria": "cpe:2.3:h:sitecom:wl-174:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "85367E17-94F4-49B2-80D9-977AF0C52CD6"
},
{
"criteria": "cpe:2.3:h:tp-link:td-8816:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BE41D744-06A9-4522-B409-414E11483DD3"
},
{
"criteria": "cpe:2.3:h:zyxel:p-660hw_d1:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1D13FB1A-637D-4E69-B84F-05531DCA5769"
}
],
"operator": "OR"
}
]
}
]