目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2025-26202 PoC — DZS ZNID-GPON-2428B1-0ST 跨站脚本漏洞

来源
https://github.com/A17-ba/CVE-2025-26202-Details
关联漏洞
标题:DZS ZNID-GPON-2428B1-0ST 跨站脚本漏洞 (CVE-2025-26202)
Description:DZS ZNID-GPON-2428B1-0ST是DZS公司的一款路由器。 DZS ZNID-GPON-2428B1-0ST存在跨站脚本漏洞,该漏洞源于容易受到跨站脚本攻击,允许注入恶意代码。
介绍
# CVE-2025-26202-Details

# CVE-2025-26202: Cross-Site Scripting (XSS) in DZS Router Web Interface

## Description
A **Cross-Site Scripting (XSS)** vulnerability exists in the WPA/WAPI Passphrase field of the Wireless Security settings (2.4GHz & 5GHz bands) in the DZS Router Web Interface. An authenticated attacker can inject malicious JavaScript into the passphrase field, which is stored and later executed when an administrator views the passphrase via the "Click here to display" option on the Status page.

## Affected Products
- **Vendor**: DZS
- **Product**: ZNID-GPON-2428B1-0ST
- **Firmware Version**: S4.2.022

## Vulnerability Type
- **Cross-Site Scripting (XSS)**

## Impact
- **Session Hijacking**: An attacker can hijack the administrator's session.
- **Arbitrary Actions**: An attacker can perform actions on behalf of the authenticated user.

## Affected Component
The vulnerability exists in the following pages:
- Wireless Security Configuration Page (2.4GHz & 5GHz)
- WPA/WAPI Passphrase Field
- Status Page (`<a href="javascript:pin_window()">...</a>`)

## Attack Vectors
### Steps to Reproduce
1. **Login to the Router Web Interface**
   - Open a web browser and navigate to the router's admin panel (e.g., `http://192.168.100.1`).
   - Enter valid admin credentials.

2. **Inject the Malicious XSS Payload in Both Wireless Bands**
   - **For 2.4GHz Band (wl0):**
     1. Navigate to **Wireless > Security** under 2.4GHz (wl0).
     2. Locate the **WPA/WAPI Passphrase** field.
     3. Inject the following XSS payload into the passphrase field:
        ```html
        </center><script>alert("XSS Triggered")</script>
        ```
     4. Click **Apply/Save** to store the malicious payload.
   - **For 5GHz Band (wl1):**
     1. Repeat the same steps as above in 5GHz (wl1) Security Settings.

3. **Trigger the XSS Execution**
   - **For 2.4GHz Band (wl0):**
     1. Navigate to **Status** from the navigation menu.
     2. Click **2.4GHz (wl0)**.
     3. Click **"Click here to display"** next to the Password field.
     4. The XSS payload executes inside the pop-up.
   - **For 5GHz Band (wl1):**
     1. Perform the same steps in **Status > 5GHz (wl1)** to trigger the XSS.

## Discoverer
- **Name**: Asim Barnawi

## References
- [DZS Official Website](https://dzsi.com)
- [ZNID-GPON-2428B1-0ST Product Page](https://dzsi.com/product/2428b1/)

## Mitigation
- **Vendor Action**: The vendor should sanitize user input in the WPA/WAPI Passphrase field to prevent the execution of malicious scripts.

---

**Disclaimer**: This repository is for informational purposes only. The discoverer and publisher of this information are not responsible for any misuse of the disclosed vulnerability.
文件快照

 [4.0K]  /data/pocs/5973a6a5303dd768c7b5156eb7f74ed5b786610d
└── [2.7K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。