CVE-2013-6786
Allegro RomPager < 4.07 - Cross-Site Scripting via Crafted HTTP Referer Header
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.
References (3)
Core 3
Core References
Exploit x_refsource_misc
http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/99694
Exploit x_refsource_misc
http://osvdb.org/ref/99/rompager407.pdf
Scores
EPSS
0.0027
EPSS Percentile
50.4%
Details
CWE
CWE-79
Status
published
Products (7)
allegrosoft/rompager
< 4.07
dlink/dsl-2640r
dlink/dsl-2641r
huawei/mt882
sitecom/wl-174
tp-link/td-8816
zyxel/p-660hw_d1
Published
Jan 16, 2014
Tracked Since
Feb 18, 2026