CVE-2013-6786

Allegrosoft Rompager < 4.07 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.

References (3)

[Exploit] http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf

[Third Party Advisory, VDB Entry] http://osvdb.org/99694

[Exploit] http://osvdb.org/ref/99/rompager407.pdf

Scores

EPSS 0.0027

EPSS Percentile 50.1%

Details

CWE

CWE-79

Status published

Products (8)

allegrosoft/rompager < 4.07

dlink/dsl-2640r

dlink/dsl-2641r

huawei/mt882

sitecom/wl-174

tp-link/td-8816

zyxel/p-660hw_d1

n/a/n/a

Published Jan 16, 2014

Tracked Since Feb 18, 2026