CVE-2014-4645

D-Link DSL-2760U-E1 - Stored Cross-Site Scripting via Hostname in dhcpinfo.html

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4645. PoCs published by Yuval tisf Nativ.

AI-analyzed exploit summary This script exploits a persistent XSS vulnerability in D-Link devices by changing the hostname to a malicious payload. The XSS is triggered when a user accesses the 'dhcpinfo.html' page, which lists connected machines.

Description

Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DSL-2760U-E1 allows remote attackers to inject arbitrary web script or HTML via a hostname.

Exploits (1)

exploitdb WORKING POC

by Yuval tisf Nativ · bashwebappshardware

https://www.exploit-db.com/exploits/33822

View Code ZIP pw:eip

This script exploits a persistent XSS vulnerability in D-Link devices by changing the hostname to a malicious payload. The XSS is triggered when a user accesses the 'dhcpinfo.html' page, which lists connected machines.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: D-Link devices (specific version not specified)

Auth required

Prerequisites: root access on the target system · access to the 'dhcpinfo.html' page

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/33822

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/68144

Scores

EPSS 0.0300

EPSS Percentile 86.8%

Details

CWE

CWE-79

Status published

Products (1)

dlink/dsl-2760u-e1

Published Jun 25, 2014

Tracked Since Feb 18, 2026