######################################################################### Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting# Date: 11.02.2018# Vendor Homepage:http://www.dlink.co.in# Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M# Category: Hardware# Exploit Author: Prasenjit Kanti Paul# Web: http://hack2rule.wordpress.com/# Hardware Version: C1# Firmware version: 3.01# Tested on: Linux Mint# CVE: CVE-2018-6936##########################################################################
Reproduction Steps:- Goto your wifi router gateway [i.e: http://192.168.0.1]- Go to -->"Maintainence"-->"Admin"- Create a user with name "<script>alert("PKP")</script>"- Refresh the page and you will be having "PKP" popup
Note: It can also be done by changing SSID name to "<script>alert("PKP")</script>"