Title: deVolo dLAN 550 duo+ Starter Kit Cross-Site Request Forgery Advisory ID: ZSL-2019-5507 Type: Remote/Local Impact: Cross-Site Scripting Risk: 3/5 Release Date: 03.02.2019 Affected Version: dLAN 500 AV Wireless+ 3.1.0-1 (1386) Vendor: deVolo AG - https://www.devolo.com Poc: devolo_csrf.txt Credits: Vulnerability discovered by Stefan Petrushevski - References: - [1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php - [2] https://www.exploit-db.com/exploits/46324 - [3] https://packetstormsecurity.com/files/151526 - [4] https://cxsecurity.com/issue/WLB-2019020039 - [5] https://exchange.xforce.ibmcloud.com/vulnerabilities/156595 Vendor Status: - [04.10.2017] Vulnerability discovered. - [11.10.2017] Vendor contacted via email. - [14.10.2017] No response from the vendor. - [15.10.2017] Second attempt - Vendor contacted via email. - [02.02.2019] No response from the vendor. - [03.02.2019] Public security advisory released.