CVE-2013-6786

Severity Score

6.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.

Vulnerabilidad de XSS en Allegro RomPager anterior a la versión 4.51, tal y como se usa en ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, y D-Link DSL-2640R y DSL-2641R, cuando los mecanismos de protección "forbidden author header" son evadidos, permite a atacantes remotos inyectar script Web o HTML arbitrario mediante la petición de una URI no existente en conjunción con una cabecera HTTP Referer manipulada que no es manejada adecuadamente en una página 404. NOTA: no hay CVE para una "redirección de URL", que algunas fuentes enumeran por separado.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-11-12 CVE Reserved
2014-01-16 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
http://osvdb.org/99694	Vdb Entry

URL	Date	SRC
http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf	2024-08-06
http://osvdb.org/ref/99/rompager407.pdf	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Allegrosoft Search vendor "Allegrosoft"		Rompager Search vendor "Allegrosoft" for product "Rompager"				<= 4.07 Search vendor "Allegrosoft" for product "Rompager" and version " <= 4.07"		-		Affected
Dlink Search vendor "Dlink"		Dsl-2640r Search vendor "Dlink" for product "Dsl-2640r"				-		-		Affected
Dlink Search vendor "Dlink"		Dsl-2641r Search vendor "Dlink" for product "Dsl-2641r"				-		-		Affected
Huawei Search vendor "Huawei"		Mt882 Search vendor "Huawei" for product "Mt882"				-		-		Affected
Sitecom Search vendor "Sitecom"		Wl-174 Search vendor "Sitecom" for product "Wl-174"				-		-		Affected
Tp-link Search vendor "Tp-link"		Td-8816 Search vendor "Tp-link" for product "Td-8816"				-		-		Affected
Zyxel Search vendor "Zyxel"		P-660hw D1 Search vendor "Zyxel" for product "P-660hw D1"				-		-		Affected